Magento has released security updates for at least 30 different vulnerabilities in its software. As a result, e-commerce businesses are being warned to immediately download the latest fix for a SQL injection vulnerability in pre 2.3.1 Magento code—Magento Commerce and Open Source 2.3.1, 2.2.8 and 2.1.17. The latest versions contain multiple security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities.
Magento’s software vulnerabilities put as many as 300,000 commerce sites at risk of card-skimming infections. According to the March 26 Magento advisory, “Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.3.1. To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198. However, to protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can.”
On March 27, ZDNET reported that fraudsters and cybercriminals are also, “abusing a feature of Magento online shops to test the validity of stolen debit and credit card numbers.”
The vulnerabilities are being exploited in the wild, and attackers are reportedly targeting online stores that use the PayPal PayFlow integration, testing the validity of the credit cards with a $0 charge.
No proof of concept yet exists, but exploitation is relatively easy according to Satnam Narang, senior research engineer for security firm Tenable.
“Magento site owners should upgrade to these patched versions as soon as possible. Magento e-commerce websites have been a popular target for cybercriminals for years, so the existence of an unauthenticated remote code execution bug certainly won’t go unnoticed."