Magento fixed a critical Magento SQL Injection flaw

There is an important news for administrators of e-commerce websites running over the Magento platform, Magento fixed a critical SQL injection flaw.

Administrators of Magento e-commerce websites have to update their installations due to the presence of a critical SQL injection vulnerability in the popular CMS.

The flaw could have a significant impact considering that roughly 28% of websites on the Internet are based on the popular open source e-commerce platform.

This week Magento released new versions of to address a total of 37 security vulnerabilities.

The company addressed Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other issues, most of them could only be exploited by authenticated users. Experts pointed out that the most severe flaw addressed in this round is an SQL Injection vulnerability, that can be exploited by unauthenticated, remote attackers.

The vulnerability, internally tracked as “PRODSECBUG-2198,” could be exploited by remote attackers to steal sensitive information from the databases of vulnerable e-commerce sites. The flaw could be exploited to steal admin sessions or password hashes that could allow attackers to access to the admin’s dashboard.

“Magento Commerce and Open Source 2.3.1, 2.2.8 and 2.1.17 contain multiple security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities.” reads the security advisory published by Magento.

“An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.”

The versions of the CMS affected by the flaw include:

Magento Open Source prior to 1.9.4.1
Magento Commerce prior to 1.14.4.1
Magento Commerce 2.1 prior to 2.1.17
Magento Commerce 2.2 prior to 2.2.8
Magento Commerce 2.3 prior to 2.3.1

Administrators of e-commerce websites running on vulnerable versions of the CMS have to install the latest version as soon as possible.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – CMS, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.