Magento Security Updates Fix Over 30 Bugs Including an Unauthenticated Remote Code Execution Vulnerability (PRODSECBUG-2198)
Magento Commerce and Open Source advisory provides fixes for RCE, XSS, SQLi, and XSRF vulnerabilities.
Hintergrund
Magento has released a security advisory for 30+ vulnerabilities, including an unauthenticated Remote Code Execution (RCE) vulnerability which Magento is highly recommending users patch as soon as possible. Magento is an e-commerce management tool widely used by many online platforms. With the frequency of Magecart attacks, proper e-commerce security is critical for any modern business.
Analyse
In the advisory, “PRODSECBUG-2198” is a high severity unauthenticated SQL injection vulnerability that could allow an attacker to run code on a target Magento instance, and the advisory lists that this could lead to sensitive data leakage. Data leakage for e-commerce platforms involve personal and financial information, and Sucuri reports that this attack is “Very Easy” to execute. As of March 28, there were no specific details or publicly available exploits. Magento is recommending customers upgrade to protect their stores.
Update March 29: Ambionics Security has released a technical analysis of the flaw with additional details and a working proof of concept (PoC) that would allow for extraction of admin sessions or password hashes.
Lösung
Magento site owners should update to the patched versions as soon as possible. PRODSECBUG-2198 has been patched in the following Magento releases:
- Magento Open Source 1.9.4.1
- Magento Commerce 1.14.4.1
- Magento Commerce 2.1.17
- Magento Commerce 2.2.8
- Magento Commerce 2.3.1
Identifizieren betroffener Systeme
A list of plugins to identify these vulnerabilities will appear here as they’re released.
Weitere Informationen
Verfolgen Sie die Beiträge des Security Response Team von Tenable in der Tenable Community.
Erfahren Sie mehr über Tenable, die erste Cyber Exposure-Plattform für die ganzheitliche Verwaltung Ihrer modernen Angriffsoberfläche.
Get a free 60-day trial of Tenable.io Vulnerability Management.
Verwandte Artikel
Cybersecurity Snapshot: Find MITRE ATT&CK Complex? Need Help Mapping to It? There’s an App for That!
March 10, 2023Learn about a new tool that streamlines MITRE ATT&CK mapping. Plus, known vulnerabilities remain a major cyber risk – just ask LastPass. Also, discover why SaaS data protection remains difficult. Plus, a look at the U.S. National Cybersecurity Strategy. And much more!
The Ransomware Ecosystem: In Pursuit of Fame and Fortune
July 28, 2022The key players within the ransomware ecosystem, including affiliates and initial access brokers, work together cohesively like a band of musicians, playing their respective parts as they strive for fame and fortune.
Brazen, Unsophisticated and Illogical: Understanding the LAPSUS$ Extortion Group
July 20, 2022Having gained the industry’s attention in the first months of 2022, the LAPSUS$ extortion group has largely gone quiet. What can we learn from this extortion group’s story and tactics?
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
- Threat Intelligence
- Threat Management
- Vulnerability Management