The popular e-commerce CMS platform, Magento, announced multiple security updates to their commerce and open source versions on March 26, 2018. More than 250,000 active Magento installations are affected by this security flaw, including versions 2.1 prior to 2.1.17, 2.2 prior to 2.2.8, and 2.3 prior to 2.3.1.

Among the thirty-seven vulnerabilities identified, the most critical are a SQLi injection (SQLi) vulnerability, remote code execution (RCE), cross-site scripting (XSS) and a cross-site scripting remote forgery (CSRF) vulnerability. These vulnerabilities allow attackers to gain unauthenticated access to online websites, which could have major data breach consequences for website owners.

What does this mean?

  • The SQLi injection (SQLi) vulnerability allows an attacker to gain unauthenticated access to a website through injecting malicious code, as well as the ability to read contents of the database. This makes it possible for the attacker to gain control of the user’s site and retrieve sensitive data from the affected site’s database.
  • Remote code execution (RCE) vulnerability allows an unauthenticated attacker with limited permissions to execute arbitrary code through a crafted newsletter, email template code, or email templates on targeted systems.
  • Cross-site scripting vulnerability (XSS) allows an unauthenticated attacker to embed malicious code into multiple sections of a user’s site including the Admin Shopping Cart Rules. 
  • Cross-site scripting request forgery (CSFR) allows an attacker to delete a product attribute or sitemap through gaining authenticated administrative access by tricking the user into submitting a malicious request. 

It’s encouraged that every Magento site owner updates to the latest version immediately to help protect their e-commerce online store. Users that have not updated to the latest version of Magento should be aware that they are leaving their database vulnerable to attackers seeking sensitive data, such as consumers’ usernames, password hashes, contact information, and most importantly, credit card details. As a best practice, users should always keep their themes, plugins, and core files up to date. For an entire list of the vulnerabilities patched, visit Magento’s security patches page.

Magento sites protected by SiteLock INFINITY are protected from this vulnerability and will see these patches applied automatically when their next automated scan runs. Download the latest version of Magento to take advantage of the latest security updates.

If you would like to protect your Magento site today with automated malware removal and core CMS vulnerability patching, contact SiteLock today and ask about INFINITY. We’re available 24/7 via phone, email, or live chat to help.