Dangerous Stored XSS Vulnerability in Magento

During an audit of their WAF, Sucuri discovered a dangerous, but also easy to exploit, Stored XSS Vulnerability in all versions of Magento. The issue could allow attackers to take over your site, create new administrator accounts, steal client information – in fact anything a legitimate administrator account is allowed to do !

Sucuri responsibly disclosed this to the Magento team but worryingly it took them nearly two and a half months to release a patch for it ! That patch (Magento CE: 1.9,2.3, Magento EE: 1.14.2.3) was released on Friday 22nd January and every single Magento user is strongly encouraged to upgrade as soon as possible.

For full technical details of the vulnerability – see the original Sucuri Disclosure and kudos to them yet again for their great work.

Bio
Latest Posts

Havenswift Hosting

This is the main Havenswift Hosting company account that is used by different members of staff when making blog postings on behalf of the company rather than as individuals

Latest posts by Havenswift Hosting (see all)

CubeCart PayPal Commerce Plugin Requires Mandatory Phone Number - 14th April 2021
PHP 7.2 Patches are available for Magento 1 - 6th October 2018
New Magento patch released – SUPEE-10888 - 20th September 2018

By Havenswift Hosting on 25 Jan 2016 2 Categories / Magento Hints & Tips, Security Announcements

There Are 2 Comments

charles on 25 Jan, 2016

Who or what is Magento?

Havenswift Hosting on 27 Jan, 2016

Magento is one of a large number of E-Commerce software products – see https://www.havenswift-hosting.co.uk/ecommerce-solutions/magento/ for basic details and https://www.havenswift-hosting.co.uk/website-hosting/magento-hosting/ for details of our semi-dedicated hosting packages for Magento. We primarily concentrate on providing high quality E-Commerce hosting solutions for customers but specialise in CubeCart, Magento and OpenCart and so look to inform our readers of issues with these products

Post Your Comment