Magento Community Edition < 1.9.3 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 8963

Synopsis

The remote web server is running an outdated instance of Magento Community Edition (CE) that is affected by multiple attack vectors.

Description

Versions of Magento CE prior to 1.9.3 are affected by multiple vulnerabilities :

- An unspecified flaw exists related to certain payment methods that may allow a remote attacker to potentially execute arbitrary code. No further details have been provided.
- A flaw exists that may allow carrying out a SQL injection attack. The issue is due to the Admin Panel not properly sanitizing input to the 'ordering' or 'grouping' parameters before using it in SQL queries. This may allow an authenticated remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
- A flaw exists that is due to the program failing to terminate sessions after a user has logged out. This may allow a remote attacker to more easily conduct a session hijacking attack, or allow an attacker with access to a user's computer to access the site after they believe they have logged out.
- A flaw exists as certificates are not properly validated. By spoofing the server via a certificate that appears valid, an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data related to calls to external services.
- A flaw exists that is triggered when performing hash checks, which may allow a remote attacker to conduct a timing attack against the password checking functionality. No further details have been provided.
- A flaw exists in the import/export functionality that is due to the program failing to perform checks when unserializing data. This may allow an authenticated remote attacker to potentially execute arbitrary code.
- A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the program does not validate input when handling request headers before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows a XSS attack. This flaw exists because the Admin Panel does not validate input when handling categories before returning it to users. This may allow an authenticated remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that is triggered during the handling of a specially crafted GIF image. This may allow an authenticated remote attacker to cause a script timeout.
- A flaw exists that allows a reflected XSS attack. This flaw exists because the Flash file uploader does not validate input before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists as HTTP requests to multiple forms do not properly validate form keys, or require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF/XSRF) attack causing the victim to update a cart or login or potentially have other unspecified impacts.
- A flaw exists when operating in certain unspecified configurations that may allow a remote attacker to log in as an existing store customer if they know that user's email address, without requiring that user's password.
- A flaw exists as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a CSRF/XSRF attack causing the victim to delete addresses or wishlist items.

Solution

Upgrade to Magento CE version 1.9.3 or later.

See Also

https://magento.com/security/patches/supee-8788

Plugin Details

Severity: Critical

ID: 8963

Family: CGI

Published: 11/4/2016

Updated: 3/6/2019

Vulnerability Information

CPE: cpe:/a:magento:magento

Patch Publication Date: 10/11/2016

Vulnerability Publication Date: 10/11/2016