Magento Community Edition 2.x < 2.1.2 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 700414

Synopsis

The remote web server is running an outdated instance of Magento Community Edition (CE) that is affected by multiple attack vectors.

Description

Versions of Magento CE 2.x prior to 2.1.2 are affected by multiple vulnerabilities :

- An unspecified flaw exists related to certain payment methods that may allow a remote attacker to potentially execute arbitrary code. No further details have been provided.
- A flaw exists that may allow carrying out a SQL injection attack. The issue is due to the Admin Panel not properly sanitizing input to the 'ordering' or 'grouping' parameters before using it in SQL queries. This may allow an authenticated remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
- A flaw exists that allows a stored cross-site scripting (XSS) attack. This flaw exists because the program does not validate input when handling email templates before returning it to users when previewing the templates. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that may allow a remote attacker to manipulate parameters to change the price of orders, and then checkout with the modified price.
- An unspecified flaw exists in Guest Order View protection that may allow a remote attacker to conduct a brute-force attack and gain unauthorized access certain information about guest orders.
- A flaw exists that allows a XSS attack. This flaw exists because the program does not validate input when loading content sections before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF/XSRF) attack causing the victim to delete store address book entries.
- An unspecified flaw exists when stores are in maintenance mode that may allow a remote attacker to disclose internal files. No further details have been provided.
- A local file inclusion (LFI) flaw exists due to the program using input when crafting the path for a file to include. With a specially crafted request, a remote attacker can include arbitrary files from the targeted host. This may allow disclosing file contents or executing files like PHP scripts. Such attacks are limited due to the script only calling files already on the target host.
- A flaw exists as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF/XSRF) attack causing the victim to delete the currently logged in user.
- A flaw exists as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a CSRF/XSRF attack causing the victim to delete items from their mini cart.
- A flaw exists as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a CSRF/XSRF attack causing the victim to create a system backup.
- A flaw exists that is due to the program failing to terminate sessions after a user has logged out. This may allow a remote attacker to more easily conduct a session hijacking attack, or allow an attacker with access to a user's computer to access the site after they believe they have logged out.

Solution

Upgrade to Magento CE version 2.1.2 or later.

See Also

https://magento.com/security/patches/magento-2.0.10-and-2.1.2-security-update

Plugin Details

Severity: Critical

ID: 700414

Family: CGI

Published: 2/11/2019

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:magento:magento

Patch Publication Date: 10/11/2016

Vulnerability Publication Date: 10/11/2016