Attention! 37 security vulnerabilities identified on its platform Magento. The company recently released new versions of the content management software.
The Magento owned by Adobe since 2018, it has one of the most popular content management systems (CMS) powering 28% of websites worldwide. So, because there are high chances that many of you belong to 28%, pay close attention.
One of the most critical vulnerabilities concerns SQL injection, which can be used remotely by unauthorized intruders. For security reasons Magento developers decided not to release technical details about the flaw.
The defect, which does not have an identifier CVE but internally tagged "PRODSECBUG-2198", could allow hackers to steal sensitive information from the databases of vulnerable e-commerce websites, including admin sessions or passwords for the dashboard of the administrator.
In addition to the SQLi vulnerability, Magento has also patched the cross-site request forgery (CSRF), cross-site scripting (XSS), cross-site remote code execution (RCE) and other defects. However, exploiting the majority of these weaknesses requires authentication of the attackers on the site.
Affected Magento versions include:
- Magento Open Source before 9.4.1
- Magento Commerce before 14.4.1
- Magento Commerce 2.1 before 1.17
- Magento Commerce 2.2 before2.8
- Magento Commerce 2.3 before 3.1
Since Magento sites not only store user information but also contain order history and financial information of their customers, the defect can lead to devastating attacks on the internet.
Online store owners are urged to upgrade their e-commerce websites to the latest updates as soon as possible before hackers start exploiting the bug to compromise your websites and steal your customers' payment card details.
