A bug on Magento discovered from Sucuri Security signature could jeopardize the e-commerce sites and users subscribed to services. The patch is already available, but they are the websites having to update the platform.
Millions of e-commerce sites may be potentially exposed to a vulnerability, just correct, on the Magento platform. Discovered and announced by Sucuri, the bug ” Stored XSS ” is present in all versions of Magento Community Edition and Enterprise Edition earlier respectively 1.9.2.3 and 1.14.2.3. The security company had already privately reported vulnerability and decided to make it public only now that a fix was released.
The bug allows attackers to any external malicious JavaScript code to integrate within the new user registration form. In this way, Magento runs scripts in the context of administrative rights and then effectively making possible profound changes on the server that is launched the e-commerce platform.
The bugs XSS (cross-site scripting) are probably among the most widespread and exploited between the vulnerabilities on websites.
The snippet containing the bug is within the Magento basic libraries, more precisely into the administrator backend, ” he said on the website Sucuri. ” Unless your site is not behind a WAF or uses a radically altered the administration panel, the site is at risk. As this is a Stored XSS vulnerability, the issue could be used by potential attackers to take full possession of the site, create a new administrator account, steal user information and fulfill all the tasks allowed to a legal administrator.
The bugs XSS (cross-site scripting) are probably among the most widespread and exploited between the vulnerabilities on websites. They are the result of Web applications that fail to recognize any executable code within the characters entered by users on their form.
All of Magento based sites are required to install the update as soon as possible, while in the case where the patch is not installed immediately, it is recommended to use a security suite equipped with a firewall capable of countering the specific bug.