Magento addressed security vulnerabilities that could be chained by an unauthenticated attacker to hijack administrative sessions and completely take over online stores.
The flaws could be exploited if the store uses the built-in, core Authorize.Netpayment module. that is a Visa solution that allows the store to process payments via credit cards. Experts pointed out that this module is widely used in many online stores running on top of Magento.
Experts rated the chain of exploits as high severity because it is easily exploitable and doesn’t require a specific user’s interaction.
The XSS occurs when the sanitized links are processed via vsprintf(), an additional double quote is injected into the <i> tag allowing for an attribute injection.
“As can be seen in the above table, the tag is replaced with a %1s and the user input string is then sanitized. As %1s is not a dangerous value, it passes the
“This allows an attacker to inject arbitrary HTML attributes into the resulting string. By injecting a malicious onmouseover event handler and a style attribute to make the link an invisible overlay over the entire page, the XSS payload triggers as soon as a victim visits a page that contains such an XSS payload and moves his mouse,”.
“By injecting a phar:// stream wrapper into an image file handler, an attacker can trigger a PHP object injection. He can then chain POP gadgets from the Magento core that in the end lead to Remote Code Execution,” RIPS Technologies continues.
The Stored XSS vulnerability was found in Magento 2.2.6 and reported in September. Magento released a patch in November that addressed the issue in 2.2.7 and 2.1.16. In December experts noticed that the bypass was found to impact Magento 2.3.0. The Phar deserialization vulnerability was reported in January and addressed in March in Magento 2.3.1, 2.2.8 and 2.1.17. In June, the Stored XSS was patched again in Magento 2.3.2, 2.2.9 and 2.1.18.