Magento Community Edition 2.0.x < 2.0.18 Multiple Vulnerabilities

Critical Nessus Network Monitor Plugin ID 700418

Synopsis

The remote web server is running an outdated instance of Magento Community Edition (CE) that is affected by multiple attack vectors.

Description

Versions of Magento CE 2.0.x prior to 2.0.18 are affected by multiple vulnerabilities :

- A user can insert a script in storefront field that could lead to arbitrary JavaScript code execution in the context of the administrator panel.
- An administrator with limited privileges can remotely execute code using a path traversal vulnerability during the CMS image or media upload process.
- A user can insert script into some customer information fields, which could potentially result in stored XSS (XSS) that affects administrators.
- A user can insert script into his or her address, which could potentially result in stored XSS that affects administrators.
- A user can insert script in their address field, which can potentially introduce a denial-of-service vulnerability.
- An administrator can be tricked into performing a system backup by an attacker who has crafted a targeted Cross-Site Request forgery (CSRF) attack.
- An administrator with limited privileges can delete critical system control files to subsequently gain privilege escalation through the Import History feature.
- An administrator with limited privileges can insert a file in the file system using the WYSIWYG image upload process.
- A user can gain file system write access using path traversal on the 'static.php' file.
- An administrator with limited privileges can insert script into downloadable products, shipment tracking, and detailed rating which could potentially result in stored XSS that affects other administrators.
- An administrator with system configuration privileges can covertly add JavaScript to the Magento store front.
- An administrator with limited privileges can insert script in the custom variables name field, attribute group name field, downloadable product link title field, RMA SKU field, and the private sales events and invitations fields which could potentially result in stored XSS that affects other administrators.
- An administrator with limited privileges can insert script into the CMS hierarchy, which could potentially result in a stored XSS that affects other administrators.
- A user can craft a URL that forces another user to open the Print Order view.
- An administrator with limited privileges can craft a cross-site request to perform requests on behalf of another administrator.

Solution

Upgrade to Magento CE version 2.0.18 or later.

See Also

https://magento.com/security/patches/magento-2.2.3-2.1.12-and-2.0.18-security-update

Plugin Details

Severity: Critical

ID: 700418

Family: CGI

Published: 2019/02/19

Updated: 2019/03/06

Dependencies: 9691

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:magento:magento

Patch Publication Date: 2018/02/27

Vulnerability Publication Date: 2018/02/27