tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesMultiple Vulnerabilities in Magento eCommerce Platform Could Allow Remote Code Execution

Multiple Vulnerabilities in Magento eCommerce Platform Could Allow Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2016-019

DATE(S) ISSUED:

01/26/2016

OVERVIEW:

Multiple vulnerabilities have been discovered in the Magento eCommerce platform that could allow remote code execution. Magento Commerce is a company that provides eCommerce solutions to allow merchants to do business transactions over the Internet. Successful exploitation of these vulnerabilities could allow the attacker to perform remote code execution with administrator privileges.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Magento Community Edition (CE) prior to 1.9.2.3
  • Magento Enterprise Edition (EE) prior to 1.14.2.3
  • Magento 2 CE & EE prior to 2.0.1

RISK:

Goverment:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
N/A

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in the Magneto eCommerce platform that could allow remote code execution. Successful exploitation of these vulnerabilities could grant the attacker administrative access over the eCommerce platform and lead to remote code execution. Details of these vulnerabilities are as follows:

Multiple stored cross-site scripting vulnerabilities exist that could allow for hijacking the administrator account and lead to remote code execution. (APPSEC-1213, APPSEC-1214, APPSEC-1239, APPSEC-1260, APPSEC-1267, APPSEC-1263, and APPSEC-1276)
A reflected cross-site scripting vulnerability exists that could allow attackers to execute phishing or spam campaigns. (APPSEC-1255)
Multiple cross-site forgery vulnerabilities exist that could lead users/administrators to unintentionally delete items from shopping carts or execute server-side actions. (APPSEC-1179, APPSEC-1206, and APPSEC-1212)
A vulnerability exists that allows CAPTCHA bypassing that could allow brute-force password guessing and/or increase the risk of spam. (APPSEC-1283)
Multiple information leakage vulnerabilities exist that could allow for leakage of sensitive customer data. (APPSEC-1171, APPSEC-1247, and APPSEC-1270)
A vulnerability exists that allows any user to edit or delete product reviews. (APPSEC-1268)
An SQL injection vulnerability exists that could lead the attacker to download sensitive parts of the Magento database. (APPSEC-1294)

RECOMENDATIONS:

We recommend the following actions be taken:

Apply appropriate updates provided by Magento Commerce to vulnerable systems, immediately after appropriate testing.
Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
Review log files to determine if the identified vulnerabilities were exploited, and remediate per your security policy and procedures.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Control That Helps Avoid This Issue Arrow CIS Control 4: Continuous Vulnerability Assessment and Remediation

Information Hub: Advisories