Magento Community Edition < 1.9.2.0 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 9676

Synopsis

The remote web server is running an outdated instance of Magento Community Edition (CE) that is affected by multiple attack vectors.

Description

Versions of Magento CE prior to 1.9.2.0 are affected by multiple vulnerabilities :

- A flaw exists that is triggered as the program fails to properly check authorized URLs. This may allow a remote attacker to gain access to potentially sensitive order, order ID, and customer name information or potentially gain elevated privileges.
- A flaw exists in the Magento Connect Manager as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF/XSRF) attack causing the victim to install modules, or potentially take other administrative actions, which may allow the attacker to subsequently execute arbitrary code.
- A flaw exists that allows a stored cross-site scripting (XSS) attack. This flaw exists because the program does not validate input to the customer name field in a Wishlist before returning it to users. This may allow an authenticated remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows an XSS attack. This flaw exists because the empty cart page does not validate input to redirection links before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists in Magento Connect that may allow a remote attacker to disclose the software's installation path via a direct request to unspecified files. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
- A flaw exists that is due to the program setting insecure permissions on log files. This may allow a local attacker to read or make changes to log files.
- A flaw exists that allows a stored XSS attack. This flaw exists because the admin console does not validate input to widget titles before returning it to users. This may allow an authenticated remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows a stored XSS attack. This flaw exists because the New Orders RSS feed does not validate input to the customer name field before returning it to users. This may allow an authenticated remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- An unspecified flaw exists that may allow an attacker to gain access to address book information. No further details have been provided by the vendor.
- A flaw exists that is triggered when it fails to protect customer address book information. This may allow an authenticated remote attacker to gain access to name, address, and phone information by entering sequential IDs during checkout.
- A flaw exists that is triggered when it fails to protect information in recurrent payment profiles, which use predictable, sequential IDs. This may allow an authenticated remote attacker to gain access to name, address, and phone information by incrementing their own recurring profile's ID.
- A flaw exists in the media cache that may allow a remote attacker to disclose the software's installation path via requests for non-existent images. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
- A flaw exists that allows a reflected XSS attack. This flaw exists because the Downloader does not validate input before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that is triggered during the handling of exported spreadsheet formulas. This may allow a context-dependent attacker to execute arbitrary code.
- A flaw exists that allows a reflected XSS attack. This flaw exists because the Authorize.Net direct post module does not validate input before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that is triggered during the handling of packages. This may allow a context-dependent attacker to overwrite arbitrary system files.

Solution

Upgrade to Magento CE version 1.9.2.0 or later.

See Also

http://magento.com/security/patches/supee-6285

Plugin Details

Severity: High

ID: 9676

Family: CGI

Published: 10/14/2016

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:magento:magento

Patch Publication Date: 7/7/2015

Vulnerability Publication Date: 7/7/2015