Magento has released latest versions of its content management software to patch a total of 37 newly-discovered security vulnerabilities.
Magento which is owned by Adobe, is one of the most popular content management system (CMS) platform used in around 28% of websites across the Internet. Over 250,000 merchants use this open source e-commerce platform.
One of the most severe flaws detected in Magento is an SQL Injection vulnerability which can be exploited by unauthenticated, remote attackers. Most of the remaining reported issues could only be exploited by authenticated users.
The SQL Injection flaw does not have a CVE ID and is internally labeled “PRODSECBUG-2198.” This could let a remote hacker to steal sensitive information from the databases of vulnerable e-commerce websites, including admin sessions or password hashes that could grant hackers access to the admin’s dashboard.
The Magento versions that has been affected include
- Magento Open Source prior to 220.127.116.11
- Magento Commerce prior to 18.104.22.168
- Magento Commerce 2.1 prior to 2.1.17
- Magento Commerce 2.2 prior to 2.2.8
- Magento Commerce 2.3 prior to 2.3.1
Magento sites store users’ information and also order history and other financial information of their customers. So, this vulnerability could lead to tragic online attacks.
Magento e-commerce websites handles numerous sensitive data on a daily basis and since the SQL vulnerability presents more risk, Magento developers have decided not to release technical details of the flaw.
Besides this flaw, Magento has also patched cross-site request forgery (CSRF), cross-site scripting (XSS), remote code execution (RCE) and other flaws. The exploitation of the majority of those flaws needs attackers to be authenticated on the site.
All online store owners are highly recommended to upgrade their e-commerce websites to the latest patched versions at the earliest. It is better to do it at the earliest as the hackers might start exploiting the flaw to compromise your websites and get hold of financial details of your customers.