Magento Community Edition 2.0.x < 2.0.16 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 700416

Synopsis

The remote web server is running an outdated instance of Magento Community Edition (CE) that is affected by multiple attack vectors.

Description

Versions of Magento CE 2.0.x prior to 2.0.16 are affected by multiple vulnerabilities :

- A Magento administrator with limited privileges can introduce malicious code when creating a new CMS Page, which could result in arbitrary remote code execution.
- A Magento administrator with limited privileges can exploit a vulnerability in the theme creation function to arbitrarily disclose and delete system files of a Magento installation.
- A Magento administrator with limited privileges can use the 'Delete Files' module to upload and delete arbitrary files.
- A Magento administrator with limited privileges can exploit a vulnerability in the Magento functional tests and obtain full remote code execution on the system.
- If an anonymous attacker is given generic order information, he can generate a cookie collision and obtain order information.
- A Magento administrator with limited privileges can use the sitemap generation tool to arbitrarily overwrite sensitive files.
- Several Magento site URLs leak sensitive information that can include verbose error messages and controller location. Attackers can use this information to exploit other vulnerabilities.
- A Magento administrator with limited privileges can exploit a vulnerability in the customer group to create a URL that can be used as part of Cross-Site Request Forgery (CSRF) attack.
- An attacker can add a URL to a Magento site, thereby redirecting users to an external phishing website.
- A Magento administrator can inject code in custom product attributes.
- An attacker with the ability to launch a Man-In-The-Middle (MITM) attack on a network connection could inject code on the Magento Admin RSS feed.
- Non Apache installation (e.g. Nginx) can have executable scripting uploads that can be used for further exploitation.
- Magento does not correctly set concurrent sessions to expire. A customer could log out under the mistaken assumption that their sessions have expired, but later, an attacker could access the account through one of the unexpired sessions.
- A Magento administrator can inject executable scripts in non-executable areas, such as the page title.
- Anti-CSRF tokens do not properly change after a successful login.
- A Magento administrator with limited privileges can exploit a vulnerability in the newsletter template to create a URL that can be used as part of a CSRF attack.
- An administrator can inject code in sales order records, which can result in an Cross-Site Scripting (XSS) attack on anyone that views the page.
- A Magento administrator with limited privileges can insert malicious code in email templates.
- A Magento administrator with limited privileges can add new products that could contain a malicious script in the product's thumbnail.
- A Magento administrator with limited privileges can insert executable code in the Order view through the order code label.
- A Magento administrator with limited privileges can add new SVG images that contain injected code.
- A Magento administrator with limited privileges can modify the page counter when creating a new page. This can cause an integer overflow, which could prevent the creation of new pages.
- A Magento administrator can inject code in the integration activation.
- A Magento administrator with limited privileges can update the Favicon image for the entire site.
- A Magento administrator can inject scriptable code into customer fields, which could result in an XSS attack.
- Magento does not properly check Access Control Lists in the quick edits grid.
- An attacker can craft a URL request on a Magento site during checkout and retrieve information about past orders.
- Customer and Admin tokens do not expire correctly, which allows for the potential re-use of a cookie by an attacker.
- An anonymous user can visit an internal URL and see the status of a Magento upgrade.
- The Magento email replies to product requests expose the system path of the Magento installation. Attackers could leverage the system path to enable the use of other vulnerabilities.
- Several fields in the Admin panel do not correctly handle autocomplete, which could result in a potential information leak when a browser tries to autocomplete the field.
- The account lockout mechanism leaks a Magento site's contact e-mail.
- A logged-in user can modify order fields that they do not have permission to view.

Solution

Upgrade to Magento CE version 2.0.16 or later.

See Also

https://magento.com/security/patches/magento-2.0.16-and-2.1.9-security-update

Plugin Details

Severity: High

ID: 700416

Family: CGI

Published: 2019/02/19

Updated: 2019/03/06

Dependencies: 9691

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 8.5

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 8.2

Temporal Score: 7.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:magento:magento

Patch Publication Date: 2017/09/04

Vulnerability Publication Date: 2017/09/04