Bug in Magento puts millions of e-commerce sites at risk of takeover
Millions of online merchants are at risk of hijacking attacks made possible by a just-patched vulnerability in the Magento e-commerce platform.
The stored cross-site scripting (XSS) bug is present in virtually all versions of Magento Community Edition and Enterprise Edition prior to 1.9.2.3 and 1.14.2.3, respectively, according to researchers from Sucuri, the website security firm that discovered and privately reported the vulnerability. It allows attackers to embed malicious JavaScript code inside customer registration forms. Magento executes the scripts in the context of the administrator account, making it possible to completely take over the server running the e-commerce platform.
“The buggy snippet is located inside Magento core libraries, more specifically within the administrator’s backend,” a Sucuri advisory explained. “Unless you’re behind a WAF or you have a very heavily modified administration panel, you’re at risk. As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client information, anything a legitimate administrator account is allowed to do.”
Read 1 remaining paragraphs | Comments
STRATEGIES FOR A COMPANY’S INTELLECTUAL PROPERTY. IP protection is a part of your business strategy and matches your commercial goals. A simple IP strategy is to protect your product and service by getting patent, trademark and copyright certificates.
U.S. COMPANY REGISTRATION. We help our foreign clients with registering U.S. business to support moving their innovations to U.S. market. We assist in navigating the process of setting up a new business and support while it grows.