Security & Fraud

Millions Of eCommerce Sites At Risk From Magento Bug

A just-patched weakness in the Magento eCommerce platform has left millions of online merchants potentially at risk of a hijacking attack.

The XSS bug is reportedly found in all versions of Magento Community Edition and Enterprise Edition prior to and, respectively. Security researchers from Sucuri — the group who found and reported the problem — determined that a hacker could use the flaw to embed malicious JavaScript code inside customer registration forms.

Because said scripts are executed with administrator accounts, the exploit makes it possible to completely control an entire server operating the eCommerce platform.

“The buggy snippet is located inside Magento core libraries, more specifically within the administrator’s backend,” a Sucuri advisory explained. “Unless you’re behind a WAF or you have a very heavily modified administration panel, you’re at risk. As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client information, anything a legitimate administrator account is allowed to do.”

XSS bugs are the result of Web applications not stripping executable code out of user-supplied input entered into websites.

They are a common kind of digital malady, and security experts are recommending that Magento users install the patch update as soon as possible.


Featured PYMNTS Study: 

With eyes on lowering costs to improving cash flow, 85 percent of U.S. firms plan to make real-time payments integral to their operations within three years. However, some firms still feel technical barriers stand in the way. In the January 2020 Making Real-Time Payments A Reality Study, PYMNTS surveyed more than 500 financial executives to examine what it will take to channel RTP interest into real-world adoption. Here’s what we learned.