Administrators of Magento e-commerce websites have to update their installations due to the presence of a critical SQL injection vulnerability in the popular CMS.
The flaw could have a significant impact considering that roughly 28% of websites on the Internet are based on the popular open source e-commerce platform.
This week Magento released new versions of to address a total of 37 security vulnerabilities.
The company addressed Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other issues, most of them could only be exploited by authenticated users. Experts pointed out that the most severe flaw addressed in this round is an SQL Injection vulnerability, that can be exploited by unauthenticated, remote attackers.
The vulnerability, internally tracked as “PRODSECBUG-2198,” could be exploited by remote attackers to steal sensitive information from the databases of vulnerable e-commerce sites. The flaw could be exploited to steal admin sessions or password hashes that could allow attackers to access to the admin’s dashboard.
“Magento Commerce and Open Source 2.3.1, 2.2.8 and 2.1.17 contain multiple security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities.” reads the security advisory published by Magento.
The versions of the CMS affected by the flaw include:
Administrators of e-commerce websites running on vulnerable versions of the CMS have to install the latest version as soon as possible.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.