Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Magento Community Edition 2.x < 2.0.10 Multiple Vulnerabilities

Critical

Synopsis

The remote web server is running an outdated instance of Magento Community Edition (CE) that is affected by multiple attack vectors.

Description

Versions of Magento CE 2.x prior to 2.0.10 are affected by multiple vulnerabilities :

- An unspecified flaw exists related to certain payment methods that may allow a remote attacker to potentially execute arbitrary code. No further details have been provided. (OSVDB 145698) - A flaw exists that may allow carrying out an SQL injection attack. The issue is due to the Admin Panel not properly sanitizing input to the 'ordering' or 'grouping' parameters before using it in SQL queries. This may allow an authenticated remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. (OSVDB 145699) - A flaw exists that allows a stored cross-site scripting (XSS) attack. This flaw exists because the program does not validate input when handling email templates before returning it to users when previewing the templates. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 145700) - A flaw exists that may allow a remote attacker to manipulate parameters to change the price of orders, and then checkout with the modified price. (OSVDB145702) - An unspecified flaw exists in Guest Order View protection that may allow a remote attacker to conduct a brute-force attack and gain unauthorized access certain information about guest orders. (OSVDB 145703) - A flaw exists that allows a XSS attack. This flaw exists because the program does not validate input when loading content sections before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 145704) - A flaw exists as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF/XSRF) attack causing the victim to delete store address book entries. (OSVDB 145705) - An unspecified flaw exists when stores are in maintenance mode that may allow a remote attacker to disclose internal files. No further details have been provided. (OSVDB 145706) - A local file inclusion (LFI) flaw exists due to the program using input when crafting the path for a file to include. With a specially crafted request, a remote attacker can include arbitrary files from the targeted host. This may allow disclosing file contents or executing files like PHP scripts. Such attacks are limited due to the script only calling files already on the target host. (OSVDB 145707) - A flaw exists as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF/XSRF) attack causing the victim to delete the currently logged in user. (OSVDB 145708) - A flaw exists as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a CSRF/XSRF attack causing the victim to delete items from their mini cart. (OSVDB 145710) - A flaw exists as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a CSRF/XSRF attack causing the victim to create a system backup. (OSVDB 145711) - A flaw exists that is due to the program failing to terminate sessions after a user has logged out. This may allow a remote attacker to more easily conduct a session hijacking attack, or allow an attacker with access to a user's computer to access the site after they believe they have logged out. (OSVDB 145712)

Solution

Upgrade to Magento CE version 2.0.10 or later.