Yesterday a new version of popular e-commerce platform Magento 2.0.6 was released. The updated addresses several critical vulnerabilities, which can lead to remote PHP code execution, information leak and XSS attacks.
According to vendor’s security advisory there are no known attacks against Magento users, however given the nature of web application and it’s popularity, we believe that fully working exploit will be available within a couple of days.
We urge everyone to install the latest version of Magento, otherwise your website will be defaced.
Below is a table with fixed vulnerabilities and their potential impact on security of your Magento installation:
| Security Advisory | Vulnerable products | Severity | CVE |
|---|---|---|---|
| APPSEC-1420 - Unauthenticated remote code execution via API The vulnerability allows remote unauthenticated attacker to execute arbitrary PHP code using REST or SOAP APIs. These APIs are enabled by default in almost all installations of Magento. |
Magento CE Magento EE |
Critical | CVE-2016-4010 10.0 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H] |
APPSEC-1421 - Unauthenticated reinstallation leading to remote code execution The vulnerability exists due to incorrect configuration of web application after installation process. A remote unauthenticated attacker can write to /app/etc directory and execute arbitrary PHP code on vulnerable server. |
Magento CE Magento EE |
Critical | 10.0 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H] |
APPSEC-1422 - Customer account takeover The vulnerability allows a remote authenticated attacker to abuse SOAP or REST API to modify other user’s accounts and gain complete control over it. |
Magento CE Magento EE |
Medium | 6.3 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L] |
APPSEC-1410 - Reflected cross-site scripting in Authorize.net module XSS vulnerability in Authorize.net payment module can be used to execute arbitrary HTML and script code in victim’s browser in context of vulnerable website. |
Magento CE Magento EE |
Medium | 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
APPSEC-1408 - Data privacy issues in APIs Information disclosure vulnerability exists in the way Quote API returns information, retrieved from database. A remote authenticated attacker can retrieve private data of registered customers. |
Magento CE Magento EE |
Medium | 4.3 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N] |
APPSEC-1389 - Application information disclosure The vulnerability displayed full path to application directory in an error message. |
Magento CE Magento EE |
Low | 4.0 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N] |