Critical Flaws in Magento leave Millions of E-Commerce Sites at Risk

If you are using Magento to run your e-commerce website, it's time for you to update the CMS (content management system) now.

Millions of online merchants are at risk of hijacking attacks due to a number of critical cross-site scripting (XSS) vulnerabilities in the Magento, the most popular e-commerce platform owned by eBay.

Why the Bugs are So Serious?

Virtually all versions of Magento Community Edition 1.9.2.2 and earlier as well as Enterprise Edition 1.14.2.2 and earlier, are vulnerable to the Stored Cross-Site Scripting (XSS) flaws.

The stored XSS flaws are awful as they allow attackers to:

• Effectively take over a Magento-based online store
• Escalate user privileges
• Siphon customers’ data
• Steal credit card information
• Control the website via administrator accounts

However, the good news is that the vulnerabilities are patched, and an update has been made available to the public after security firm Sucuri discovered and privately reported the vulnerability to the company.

How Easy it is to Exploit the Flaw

The XSS bugs are quite easy to exploit. All an attacker need to do is embed malicious JavaScript code inside customer registration forms in place of email address.

Magento then runs and executes this email containing JavaScript code in the context of the administrator account, making it possible for an attacker to steal administrator session and completely take over the server running Magento.

Cybersecurity firm Sucuri describes the bug as the worst hole, saying:

"The buggy snippet is located inside Magento core libraries, more specifically within the administrator's backend. Unless you are behind a WAF or you have a very heavily modified administration panel, you are at risk."
"As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client information, anything a legitimate administrator account is allowed to do."

Patch your Software Now!

To prevent websites from exploitation, webmasters are recommended to apply the latest patch bundle SUPEE-7405 as soon as possible.

Since the latest patch resolves the issue for Magento version 1.14.1 and 1.9.1 and earlier, problems impacting Magento versions 1.14.2.3 and 1.9.2.3 have already been resolved.

With Alexa top one million e-commerce websites and over all ten Million websites using the internet's fourth most popular CMS, Magento has become a valuable target for attackers nowadays.

So, patch your websites now to stay safe!