CSRF and XSS in Magento



Published: 2017-10-05
Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID N/A
CWE-ID CWE-352
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Magento Open Source
Web applications / E-Commerce systems

Adobe Commerce (formerly Magento Commerce)
Web applications / E-Commerce systems

Vendor Magento, Inc

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Cross-site request forgery

EUVDB-ID: #VU8712

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform CSRF attack.

The vulnerability exists due to incorrect validation of the HTTP request origin in Customer Groups functionality when an HTTP POST request is changed to HTTP GET on saving changes to existing groups (/customer/group/save/). The web application ignores "form_key" parameter in HTTP GET request, which allows a remote attacker to create arbitrary customer groups.

Mitigation

Update to version 1.9.3.6, 1.14.3.6, 2.0.16 or 2.1.9.

Vulnerable software versions

Magento Open Source: 1.9.0.0 - 1.9.3.5

Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.8

External links

http://www.defensecode.com/advisories/DC-2017-09-001_Magento_CSRF_Stored_Cross_Site_Scripting.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Stored Cross-site scripting

EUVDB-ID: #VU8713

Risk: Low

CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform XSS attack.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via Group Name parameter (code). A remote authenticated attacker can permanently inject and execute arbitrary HTML code in victims browser. The exploit code will be present on several pages when the customer group is shown (on viewing individual orders, individual customers, etc).

This vulnerability can be exploited in chain with CSRF vulnerability, described in this advisory.

Mitigation

Update to version 1.9.3.6, 1.14.3.6, 2.0.16 or 2.1.9.

Vulnerable software versions

Magento Open Source: 1.9.0.0 - 1.9.3.5

Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.8

External links

http://www.defensecode.com/advisories/DC-2017-09-001_Magento_CSRF_Stored_Cross_Site_Scripting.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###