Magento patched 20 vulnerabilities last week, including a stored cross-site scripting (XSS) flaw in the e-commerce platform that could have let an attacker take over a site and create new admin accounts.

Researchers at Sucuri dug up the XSS vulnerability while combing through research audits last November. It took a while for Magento to get back to researchers — two months elapsed since the firm’s original report – but Magento finally pushed a fix for the issue last Wednesday as part of patch bundle SUPEE-7405.

The vulnerability, which exists in the platform’s core libraries, affects all versions of Magento CE before 1.9.2.3 and every version of Magento EE before 1.14.2.3.

Marc-Alexandre Montpas, a vulnerability researcher at Sucuri, warned in a blog post on Friday that Magento users who have a “very heavily modified administration panel” are more likely to be at risk and should update as soon as possible.

If exploited the bug could’ve been used to take over a site, create new administrator accounts, steal client information, “anything a legitimate administrator account is allowed to do,” Montpas wrote.

The bug stems from a validation mechanism in the admin panel that Magento uses to verify whether strings are email addresses.

An attacker could have inserted Javascript in that mechanism — once an administrator goes to verify an order, and it’s script – not an email address like it should be – it executes, and triggers an XSS.

According to Piotr Kaminski, lead product manager at Magento, the stored cross-site scripting bug is one of seven XSS bugs addressed by the last week’s update. Including the XSS vulnerabilities, SUPEE-7405 addresses 20 bugs, including a few CSRF vulnerabilities, a denial of service vulnerability, and two information leakage bugs.

Categories: Vulnerabilities, Web Security