SB2017100513 - CSRF and XSS in Magento
Published: October 5, 2017
Security Bulletin ID
SB2017100513
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Cross-site request forgery (CVE-ID: N/A)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform CSRF attack.
The vulnerability exists due to incorrect validation of the HTTP request origin in Customer Groups functionality when an HTTP POST request is changed to HTTP GET on saving changes to existing groups (/customer/group/save/). The web application ignores "form_key" parameter in HTTP GET request, which allows a remote attacker to create arbitrary customer groups.
2) Stored Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform XSS attack.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via Group Name parameter (code). A remote authenticated attacker can permanently inject and execute arbitrary HTML code in victims browser. The exploit code will be present on several pages when the customer group is shown (on viewing individual orders, individual customers, etc).
This vulnerability can be exploited in chain with CSRF vulnerability, described in this advisory.
Remediation
Install update from vendor's website.