[SingCERT] Alert on Critical SQL Injection Vulnerability in Magento software

Published on Saturday, 30 March 2019 11:00

Background

The developers of Magento, an open-source e-commerce platform, were alerted to reports of active cyber attacks on online stores running its popular e-commerce platform. 

The ongoing attacks exploit a critical SQL Injection (SQLi) vulnerability uncovered in Magento’s e-commerce platform. Affected websites face significant risk from attacks which could lead to data breaches with no authentication required. 

Magento has released a new version to patch the flaw.

Affected Products

The affected Magento versions are:
•  2.1 prior to 2.1.17
•  2.2 prior to 2.2.8
•  2.3 prior to 2.3.1

Impact

Attackers exploiting the SQLi flaw could gain control of Administrator accounts and download information saved on the platform, such as user credentials and password hashes. Attackers could also install backdoors for subsequent unauthorised access or plant malicious card-skimming code to harvest shoppers' credit card details.

Recommendations

Magento Administrators are advised to update to the latest version immediately to patch the flaw.

https://onilab.com/blog/magento-march-2019-update-sql-injection-fixes-highlights/