Forum Moderators: buckworks
Critial XSS flaws in Magento leave millions of ecommerce sites at risk
Critial XSS flaws in Magento leave millions of ecommerce sites at risk [nakedsecurity.sophos.com]
For as long as there have been websites, the vast majority of vulnerabilities have come about because of a failure to handle incoming data properly and the list of Magento vulnerabilities is no exception.
The most serious though are the Critical XSS vulnerabilities.
Each of them could be used to take over vulnerable ecommerce sites, putting the stores’ users and their credit card data at risk, as well representing a serious threat to the business behind the store.
All an attacker’s software needs to do is register for a vulnerable store using a spiked email address (or a spiked username if it’s running version 2).
A huge security hole has been found in popular ecommerce platform Magento, requiring an immediate update.
Critical cross-site scripting vulnerabilities have been found in both versions 1 and 2 of the platform. They can be exploited just by registering with a spiked username or email address – making it an obvious target for automated attack.
The holes can be used to effectively take over a Magento store, putting both user data and credit card data at risk.
