Main Vulnerability Database SB2018102403

SB2018102403 - PHP code injection in TBT_Rewards extension for Magento

Published: October 24, 2018

Security Bulletin ID SB2018102403

Severity

Critical

Patch available

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) PHP code injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.

The weakness exists due to PHP code injection. A remote attacker can send a specially crafted Zend_Log object and abuse PHP’s unserialize() function to inject and execute own PHP code and modify the database or any Javascript files.

Note: the vulnerability has been actively exploited by Magecart group to steal payment card data.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

https://gwillem.gitlab.io/2018/10/23/magecart-extension-0days/