One must pay enough attention if his / her online e-commerce business is running over the Magento platform. On 28th March 2019, Magento has released new versions of its content management software (CMS) to address a total of 37 recently discovered security vulnerabilities. Magento is one of the most famous open-source content management systems that have been owned by Adobe since mid-2018 having the capability to power 28% of the websites across the internet with over 250,000 merchants using the platform for their e-commerce websites.
Although most of the reported issues could only be exploited by the authenticated users, one of the most acute flaws in Magento is an injection of SQL vulnerability that can be exploited by the unauthenticated and remote attackers. The flaw that does not have a CVE ID but internally labelled as “PRODSECBUG-2198” could permit the remote hackers to steal the sensitive data from the databases of the vulnerable e-commerce websites that includes admin sessions or the password hashes providing access of the admin dashboard to the hackers. The affected Magento versions include:
- Magento Open Source prior to 22.214.171.124
- Magento Commerce prior to 126.96.36.199
- Magento Commerce 2.1 prior to 2.1.17
- Magento Commerce 2.2 prior to 2.2.8
- Magento Commerce 2.3 prior to 2.3.1
The fact that the Magento sites does not only store users’ information but also contain the order history and the financial information of their customers, it has been found that the flaw could lead to catastrophic online attacks. The Magento developers have decided not to release the technical details of the flaw owing to the fact that the Magento e-commerce websites tackle the sensitive data on a daily basis and represent the risk of the SQL vulnerability.