The WordPress plugin “Display Widgets” distributes malware
On September 14, Magento, developing the same-name online store management system, released updates for Magento Commerce and Magento Open Source, eliminating numerous vulnerabilities, in particular, a critically serious remote code execution error.
In summary, updates to Magento 2.1.9 and 2.0.16 cover 35 gaps of varying degrees of danger. Among them – one critical, received the number APPSEC-1800. It allowed the administrator with limited rights to introduce malicious code when creating a new CMS page.
Also, the update addresses three high-risk vulnerabilities (information leaks, random deletion and malicious code execution), and 28 medium-risk errors, including XSS, CSRF, unauthorized data leakage, denial of access, and the ability to pass data on all previous orders during processing new.
Not left unattended in Magento and two vulnerabilities of low risk. One of them (APPSEC-1709) could easily get the administrator’s e-mail, and the second vulnerability (APPSEC-1495) allowed editing the order field without having the right to view it.
Some of these vulnerabilities could be used by attackers to obtain information about orders, redirect users to another site, MitM-attack, retrieve information about past orders, or reuse cookies.
It is important to note that in the case of 18 out of 35 vulnerabilities, an attack occurs from the inside, when the administrator himself harms the functioning of the store. That’s why the owners of trading platforms are the time to check the lists of administrators and update the programs.
Magento is one of the most popular open systems for organizing e-commerce in the network, which accounts for about 30% of the market. The platform is based on more than 100 thousand online stores, for it there are more than two thousand extensions from third-party developers, and the project community has about 375 thousand participants.