On 28th of March, 2019, Magento has released their latest versions of its Content Management System (CMS) software to address the lately discovered SQL Injection vulnerability that numbered in a total of 37. Therefore, if your online e-commerce business is running on the Magento platform, then this piece of information will prove to be very beneficial for you. Magento is one of the most reputed and well known platforms for content management that empowers 28 percentages of the websites all over the internet that includes over 250,000 merchants using the open source e-commerce platform.
Most of the reported issues can only be exploited by the authentic users but the most severe flaws in Magento are an SQL injection vulnerability that can be exploited by the unauthenticated remote attackers. The flaw that is internally labelled “PRODSECBUG-2198” and does not bear a CVE ID could permit the remote hackers to steal the sensitive information from the databases of the vulnerable e-commerce websites that includes admin sessions or the password hashes that could grant access of the admin dashboard to the hackers. The affected Magento versions comprises of:
- Magento Open Source prior to 18.104.22.168
- Magento Commerce prior to 22.214.171.124
- Magento Commerce 2.1 prior to 2.1.17
- Magento Commerce 2.2 prior to 2.2.8
- Magento Commerce 2.3 prior to 2.3.1
The flaw could lead to a catastrophic cyber attack since Magento stores information regarding the order history, customer’s financial information apart from the users’ information. The Magento developers have taken a decision of not releasing the technical details of the flaw owing to the data the platform stores on a daily basis as well as the risk the SQL injection vulnerability represents. Apart from the SQLi vulnerability, Magento has disclosed the fact that they have patched the cross-site request forgery (CSRF), Remote code execution (RCE), cross-site scripting (XSS) and other related flaws.