Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Businesses

Unpatched Magento Zero Day Leaves 200,000 Merchants Vulnerable (threatpost.com) 29

An anonymous reader quotes ThreatPost: A popular version of the open source Magento ecommerce platform is vulnerable to a zero-day remote code execution vulnerability, putting as many as 200,000 online retailers at risk... According Bosko Stankovic, information security engineer at DefenseCode, despite repeated efforts to notify Magento, which began in November 2016, the vulnerability remains unpatched despite four version updates since the disclosure. Affected versions of the Magento Community Edition software include v. 2.1.6 and below. DefenseCode did not examine Magento Enterprise, the commercial version of the platform, but warns both share the same underlying vulnerable code... The remote code execution (RCE) vulnerability is tied to the default feature in Magento Community Edition that allows administrators to add Vimeo video content to product descriptions.
DefenseCode says the exploit can be mitigated by enforcing Magento's "Add Secret Keys To URLS" feature, warning in a paper that the hole otherwise "could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information." Magento has confirmed the exploit, says they're investigating it, and promises they'll address it in their next patch release.
This discussion has been archived. No new comments can be posted.

Unpatched Magento Zero Day Leaves 200,000 Merchants Vulnerable

Comments Filter:

Keep up the good work! But please don't ask me to help.

Working...