A just-patched weakness in the Magento eCommerce platform has left millions of online merchants potentially at risk of a hijacking attack.
The XSS bug is reportedly found in all versions of Magento Community Edition and Enterprise Edition prior to 1.9.2.3 and 1.14.2.3, respectively. Security researchers from Sucuri — the group who found and reported the problem — determined that a hacker could use the flaw to embed malicious JavaScript code inside customer registration forms.
Because said scripts are executed with administrator accounts, the exploit makes it possible to completely control an entire server operating the eCommerce platform.
“The buggy snippet is located inside Magento core libraries, more specifically within the administrator’s backend,” a Sucuri advisory explained. “Unless you’re behind a WAF or you have a very heavily modified administration panel, you’re at risk. As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client information, anything a legitimate administrator account is allowed to do.”
XSS bugs are the result of Web applications not stripping executable code out of user-supplied input entered into websites.
They are a common kind of digital malady, and security experts are recommending that Magento users install the patch update as soon as possible.