Critical XSS (Cross-Site Scripting) vulnerabilities have been found in both version 1 and 2 of the popular Magento ecommerce platform.
If you run a Magento website, you should update it now.
20 vulnerabilities have been fixed in the SUPEE-7405 patch bundle for the 1.* branch, of which two are marked Critical and four High. Affected versions include all versions of Magento Community Edition prior to 126.96.36.199 and all versions of Magento Enterprise Edition prior to 188.8.131.52.
There are 11 vulnerabilities fixed in Magento 2.0.1 Security Update for the 2.* branch, of which one is Critical and three High. Affected versions in the 2.* branch include all versions of Magento Community Edition and Magento Enterprise Edition prior to 2.0.1.
For as long as there have been websites, the vast majority of vulnerabilities have come about because of a failure to handle incoming data properly and the list of Magento vulnerabilities is no exception.
The most serious though are the Critical XSS vulnerabilities.
Each of them could be used to take over vulnerable ecommerce sites, putting the stores’ users and their credit card data at risk, as well representing a serious threat to the business behind the store.
All an attacker’s software needs to do is register for a vulnerable store using a spiked email address (or a spiked username if it’s running version 2).
Magento is extremely popular and this means every Magento user should be on their guard.
Criminals aren’t interested in hacking just one or two stores, and they don’t care if your site’s a whale or a minnow. They use software to target and take over as many sites as they can in the most cost-effective way so they can harvest customer data, steal credit cards and turn the sites in to distribution channels for malware and spam.
In other words, it’s a numbers game.
According W3Techs, Magento is running on about 1.3% of all sites, making it the fourth most popular website CMS (Content Management System) and the only one in the top five that’s a specialist ecommerce system.
A 1.3% share of the web gives Magento an installed base of roughly 13 million websites – potential targets that are all exploitable in the same, repeatable, way.
The sooner the criminals can start their attacks, the more chance they have of catching people who haven’t updated their software. Web Application Firewalls can help but patching quickly is essential.
In October 2014, automated attacks on sites running vulnerable versions of Drupal, another popular content management system, began within a few hours of a critical vulnerability being revealed.
If you’re running a Magento store, patch it now.
If you want to know more about keeping your Magento site secure, you should start with the Magento Security Best Practices document.