Magento Community Edition < 1.9.2.3 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 9679

Synopsis

The remote web server is running an outdated instance of Magento Community Edition (CE) that is affected by multiple attack vectors.

Description

Versions of Magento CE prior to 1.9.2.3 are affected by multiple vulnerabilities :

- A flaw exists that allows a stored cross-site scripting (XSS) attack. This flaw exists because the program does not validate input to the Pro Payment Module when handling requests before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- An unspecified flaw exists in Guest Order View protection that may allow an attacker to conduct a brute-force attack and gain access to order information from the store.
- A flaw exists that allows a stored XSS attack. This flaw exists because the program does not validate input to the file name of uploaded files before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that is due to the program failing to sufficiently verify request parameters. This may allow an authenticated remote attacker to delete or edit product reviews and send them back to a pending state.
- A flaw exists in form keys as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF/XSRF) attack causing the victim to delete items from shopping carts.
- A flaw exists that allows a stored XSS attack. This flaw exists because the 'app/design/adminhtml/default/default/template/sales/order/view/info.phtml' script does not validate input to email addresses supplied during customer registration before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows a stored XSS attack. This flaw exists because the program does not validate input passed via the 'HTTP_X_FORWARDED_FOR' header to the Order View Forms in the Admin Panel before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists in the 'getOrderByStatusUrlKey' method of the 'Mage_Rss_Helper_Order class', located in the '/app/code/core/Mage/Rss/Helper/Order.php' script. The issue is triggered when 'increment_id' and 'customer_id' parameters of a data request parameter in RSS feed requests are not properly validated. This may potentially allow a remote attacker to download order comments and other order-related information.
- A flaw exists as HTTP requests to the Backend Login page do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a CSRF/XSRF attack causing the victim to perform unspecified actions.
- A flaw exists that is triggered as file types and extensions for uploaded logo files are not properly validated before being placed in a user-accessible path. This may allow a remote attacker to upload a specially crafted file and then request it in order to execute arbitrary code with the privileges of the web service.
- A flaw exists as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a CSRF/XSRF attack causing the victim to perform administrative actions, such as deleting customers.
- A flaw exists that is triggered when a specially crafted exported formula is opening in a spreadsheet viewing program, such as Excel. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists in the email address associated with a store newsletter. This may potentially allow a remote attacker to interfere with the sending of newsletters. No further details have been provided.
- A flaw exists in the Authorize.net payment module's URLs that may allow a remote attacker to disclose the admin panel's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
- A flaw exists that allows a stored XSS attack. This flaw exists because the program does not validate input to strings in inline translations before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows a stored XSS attack. This flaw exists because the program does not validate input to custom option titles before returning it to users. This may allow an authenticated remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that is triggered when unseriealizing specially crafted objects. This may potentially allow a remote attacker to execute arbitrary code, when combined with another vulnerability.
- An unspecified flaw exists in the Magento frontend that may allow an attacker to bypass CAPTCHA testing mechanisms. No further information has been provided.
- A flaw exists that allows a reflected XSS attack. This flaw exists because the program does not validate input to the 'Coupon Code' field in Shopping Carts before returning it to users. This may allow an administrator to create a specially crafted request that would execute arbitrary script code against themselves in the context of their own session.

Solution

Upgrade to Magento CE version 1.9.2.3 or later.

See Also

https://magento.com/security/patches/supee-7405

Plugin Details

Severity: High

ID: 9679

Family: CGI

Published: 10/14/2016

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:magento:magento

Patch Publication Date: 1/20/2016

Vulnerability Publication Date: 1/20/2016

Reference Information

CVE: CVE-2016-2212

BID: 83376