Security researchers have released proof-of-concepts for 2 Magento flaws

Magento is an e-commerce platform written in PHP. It provides online traders with a flexible shopping cart system, as well as control over the appearance, content and functionality of their online store. It also offers a strong marketing, search engine optimization, and catalog-management tools.

A security researcher from DefenseCode has released proof-of-concept (PoCs) code for 2 CSRF (Cross-Site Request Forgery) and stored XSS (Cross-site scripting) flaws affecting a number of versions of Magento.

The exploitation of these vulnerabilities could lead to administrator account takeover and finally lead to user payment data theft.

According to defensecode:
“There is a Cross-Site Request Forgery vulnerability present in Customer Groups when a POST request is changed to GET on saving changes to existing groups (/customer/group/save/).
When the request method is switched, the lack of form_key parameter which serves as a CSRF token is completely ignored.”

“There is a Cross-Site Request Forgery vulnerability present in Newsletter Templates when a POST request is changed to GET on saving changes on existing or adding new templates (/newsletter/template/save/). When the request method is switched, the lack of form_key parameter which serves as a CSRF token is completely ignored.”

The flaws affect:
– Magento CE 1 prior to 1.9.3.6
– Magento Commerce prior to 1.14.3.6
– Magento 2.0 prior to 2.0.16
– Magento 2.1. prior to 2.1.9

If you are running one of the 200,000+ Magento stores and you haven’t yet updated your version, now it’s the time to do it.

Related posts

Thousands of Misconfigured AMS Risk Buildings’ Security Globally

Thousands of Misconfigured AMS Risk Buildings’ Security Globally

Microsoft Patch Tuesday February 2025 Fixes Some Zero-Day Flaws

Microsoft Patch Tuesday February 2025 Fixes Some Zero-Day Flaws

CISA Warns Of Actively Exploited Vulnerability In Microsoft Outlook

CISA Warns Of Actively Exploited Vulnerability In Microsoft Outlook