Magento yesterday released new versions of its content management software to address a total of 37 newly-discovered security vulnerabilities.
Magento is one of the most popular content management system (CMS) platform which powers 28% of websites across the Internet with more than 250,000 merchants using the open source e-commerce platform.
Most of the reported issues could only be exploited by authenticated users, one of the most severe flaws in Magento is an SQL Injection vulnerability which can be exploited by unauthenticated, remote attackers.
Internally labeled as “PRODSECBUG-2198,” could allow remote hackers to steal sensitive information from the databases of vulnerable e-commerce websites, including admin sessions or password hashes that could grant hackers access to the admin’s dashboard.
Affected Magento versions include:
- Magento Open Source prior to 220.127.116.11
- Magento Commerce prior to 18.104.22.168
- Magento Commerce 2.1 prior to 2.1.17
- Magento Commerce 2.2 prior to 2.2.8
- Magento Commerce 2.3 prior to 2.3.1
Magento sites not only store users’ information but also contain order history and financial information of their customers, the flaw could lead to catastrophic online attacks.
Magento has also patched cross-site request forgery (CSRF), cross-site scripting (XSS), remote code execution (RCE) and other flaws, but exploitation of the majority of those flaws require attackers to be authenticated on the site with some level of privileges.
Store owners are recommended to upgrade their e-commerce websites to the recently patched versions as soon as possible.