It has been reported that a critical vulnerability in the Magento e-commerce platform is putting as many as 300,000 commerce sites at risk of card-skimming infections until they install a recently released patch.
Magento is reportedly used on over 15 million eCommerce sites. With the proliferation of attacks like Magecart, vulnerabilities like this in Magento can become a serious security risk very quickly.
A critical #vulnerability in the #Magento e-commerce platform is putting as many as 300,000 commerce sites at risk of card-skimming infections until they install a recently released patch. https://t.co/3py79C2oyh #ITSecurity #Cybersecurity
— Hornetsecurity (@Hornetsecurity) March 29, 2019
Satnam Narang, Senior Research Engineer at Tenable:
“Earlier this week, Magento published a security update to address over 30 vulnerabilities in Magento Open Source and Commerce. Most notable in this release is a patch for PRODSECBUG-2198, an unauthenticated SQL injection vulnerability that can lead to remote code execution. Magento states that Open Source versions prior to 1.9.41 and Magento Commerce versions prior to 220.127.116.11, 2.1.17, 2.2.8 and 2.3.1 are affected by PRODSECBUG-2198.
“While there is no proof of concept code or exploit scripts available for this bug yet, due to the relative ease of exploitation, Magento site owners should upgrade to these patched versions as soon as possible. Magento e-commerce websites have been a popular target for cybercriminals for years, so the existence of an unauthenticated remote code execution bug certainly won’t go unnoticed.”