Highlights and Updates

Magento Warns E-Commerce Sites to Upgrade ASAP to Prevent Attacks

Wednesday, 13th November 2019

Thepopular e-commerce platform Magento is urging web administrators to install itslatest security update in order to defend against malicious attacks in the wildthat could exploit a critical remote code-execution vulnerability.

While the company didnít specify what kinds of potential attacksthat websites should be concerned about (Threatpost reached out for comment onthis), Magento is a common target for the Magecartassociation of threat groups, which compromise websites built onunpatched e-commerce platforms in order to inject card-skimming scripts oncheckout pages. The scripts steal unsuspecting customersí payment card detailsand other information entered into the fields on the page.

The vulnerability (CVE-2019-8144),which carries a severity ranking of 10 out of 10 on the CVSS v.3 scale, couldenable an unauthenticated user to insert a malicious payload into a merchantíssite through Page Builder template methods, and execute it. Page Builder allowswebsites to design content updates, preview them live and schedule them to be published.The bug specifically exists in the preview function.