Multiple vulnerabilities in Magento Commerce and Open Source

Published: 2019-10-30 | Updated: 2019-10-30
Severity High
Patch available YES
Number of vulnerabilities 16
CVE ID CVE-2019-8235
CWE ID CWE-200
CWE-79
CWE-264
CWE-799
CWE-352
CWE-918
CWE-94
CWE-284
CWE-89
Exploitation vector Network
Public exploit N/A
Vulnerable software Magento Subscribe
Magento Open Source
Magento Commerce
Vendor Magento, Inc

Security Advisory

1) Information disclosure

Severity: Medium

CVSSv3: 5.7 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-8235

CWE-ID: CWE-200 - Information Exposure

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to Insecure direct object references issue. A remote authenticated user can view personally identifiable shipping details of another user.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0

CPE External links

https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Cross-site scripting

Severity: High

CVSSv3: 7.1 [CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker can inject and execute arbitrary HTML through a CLI command and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0

CPE External links

https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Permissions, Privileges, and Access Controls

Severity: Medium

CVSSv3: 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to spam using share a wishlist functionality. A remote attacker can send spam messages.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0

CPE External links

https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Missing CAPTCHA

Severity: Medium

CVSSv3: 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-799 - Improper Control of Interaction Frequency

Description

The vulnerability allows a remote attacker to spamming.

The vulnerability exists due to missing CAPTCHA on Send to a friend page. A remote attacker can send spam messages on the vulnerable page.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0

CPE External links

https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Cross-site request forgery

Severity: Medium

CVSSv3: 6.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can delete the content of wyswig directory within the context of authenticated administrator's session, trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0

CPE External links

https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Cross-site request forgery

Severity: Medium

CVSSv3: 6.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can  delete the site map within the context of an authenticated administrator's session, trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0

CPE External links

https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Cross-site request forgery

Severity: Medium

CVSSv3: 6.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can delete a product attribute within the context of authenticated administrator's session, trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Commerce: 1.14.0.0, 1.14.0.1, 1.14.1.0, 1.14.2.0, 1.14.3.0, 1.14.3.1, 1.14.3.2, 1.14.3.3, 1.14.3.4, 1.14.3.5, 1.14.3.6, 1.14.3.7, 1.14.3.8, 1.14.3.9, 1.14.3.10, 1.14.4.0

Magento Open Source: 1.9.0.0, 1.9.0.1, 1.9.1.0, 1.9.2.0, 1.9.2.1, 1.9.2.2, 1.9.2.3, 1.9.2.4, 1.9.3.0, 1.9.3.1, 1.9.3.2, 1.9.3.3, 1.9.3.4, 1.9.3.5, 1.9.3.6, 1.9.3.7, 1.9.3.8, 1.9.3.9, 1.9.3.10, 1.9.4.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0

CPE External links

https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Server-Side Request Forgery (SSRF)

Severity: High

CVSSv3: 7.9 [CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to the unsafe handling of an API call to a core bundled extension. A remote authenticated attacker with privileges to configure store settings can execute arbitrary code execution through server-side request forgery.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0

CPE External links

https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Code Injection

Severity: Medium

CVSSv3: 6.3 [CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in email template. A remote administrator can send a specially crafted request and execute arbitrary code through email templates on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0

CPE External links

https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Code Injection

Severity: Medium

CVSSv3: 6.3 [CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation via crafted newsletter and email templates . A remote authenticated attacker with privileges to create newsletter or email templates can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0

CPE External links

https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Improper access control

Severity: Medium

CVSSv3: 6.3 [CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-284 - Improper Access Control

Description

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions of the Insecure direct object reference in the application. A remote authenticated attacker can enumerate and access unauthorized wishlist via insecure direct object reference in the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0

CPE External links

https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Improper access control

Severity: Medium

CVSSv3: 6.3 [CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-284 - Improper Access Control

Description

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to a bypass of authentication controls for a customer using a web API endpoint. A remote authenticated attacker can control other customer's requisition lists by using a web API endpoint to send a request to the server. This overrides the customer_id parameter.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0

CPE External links

https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Permissions, Privileges, and Access Controls

Severity: High

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to bypassing the need for administrator authentication approval on B2B accounts. A remote authenticated attacker can create a B2B account without administrative approval.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0

CPE External links

https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Information disclosure

Severity: Medium

CVSSv3: 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-200 - Information Exposure

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to administrative credentials are logged in exception reports. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Commerce: 1.14.0.0, 1.14.0.1, 1.14.1.0, 1.14.2.0, 1.14.3.0, 1.14.3.1, 1.14.3.2, 1.14.3.3, 1.14.3.4, 1.14.3.5, 1.14.3.6, 1.14.3.7, 1.14.3.8, 1.14.3.9, 1.14.3.10, 1.14.4.0

Magento Open Source: 1.9.0.0, 1.9.0.1, 1.9.1.0, 1.9.2.0, 1.9.2.1, 1.9.2.2, 1.9.2.3, 1.9.2.4, 1.9.3.0, 1.9.3.1, 1.9.3.2, 1.9.3.3, 1.9.3.4, 1.9.3.5, 1.9.3.6, 1.9.3.7, 1.9.3.8, 1.9.3.9, 1.9.3.10, 1.9.4.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0

CPE External links

https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Information disclosure

Severity: Medium

CVSSv3: 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-200 - Information Exposure

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to default configuration allows public access to custom PHP settings. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0

CPE External links

https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) SQL injection

Severity: High

CVSSv3: 8.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote unauthenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Commerce: 1.14.0.0, 1.14.0.1, 1.14.1.0, 1.14.2.0, 1.14.3.0, 1.14.3.1, 1.14.3.2, 1.14.3.3, 1.14.3.4, 1.14.3.5, 1.14.3.6, 1.14.3.7, 1.14.3.8, 1.14.3.9, 1.14.3.10, 1.14.4.0

Magento Open Source: 1.9.0.0, 1.9.0.1, 1.9.1.0, 1.9.2.0, 1.9.2.1, 1.9.2.2, 1.9.2.3, 1.9.2.4, 1.9.3.0, 1.9.3.1, 1.9.3.2, 1.9.3.3, 1.9.3.4, 1.9.3.5, 1.9.3.6, 1.9.3.7, 1.9.3.8, 1.9.3.9, 1.9.3.10, 1.9.4.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0

CPE External links

https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



ImmuniWeb® AI Platform for Application Security Testing