Magento Patches Critical SQL Injection and RCE Vulnerabilities

magento e-commerce software bugs patches

Magento patched 37 flaws Thursday, including a stored cross-site scripting (XSS) vulnerability that could have let an attacker take over a site.

Magento patched 37 vulnerabilities on Thursday, including a host of critical flaws in the e-commerce platform that could have let attackers perform a range of malicious activities, such as take over a site and create new admin accounts.

The most serious of the bugs is a remote code-execution (RCE) vulnerability that could allow an authenticated user, with limited permissions, to create specially crafted newsletters and email templates that can be used to execute arbitrary code on targeted systems. The vulnerability has a CVSS score of 9.8 and impacts Magento versions 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8 and Magento 2.3 prior to 2.3.1.

A second critical bug patched by Magento is an unauthenticated SQL injection vulnerability that could allow an attacker exploiting the flaw to “read from the [Magento] database, [and] extract admin sessions or password hashes and use them to access the backend,” according to Ambionics Security. This would allow site takeover with the stolen credentials.


On Friday, Ambionics Security released an analysis of the bug and a working proof-of-concept attack model that would allow for extraction of admin sessions or password hashes.

“One of the main classes handling the DB is Magento\Framework\DB\Adapter\Pdo\Mysql. After a few minutes of auditing, an interesting bug emerged in one of its method, prepareSqlCondition,” security engineer Charles Fol at Ambionics wrote in the technical breakdown.

He added that the error in code was minor — however it’s “very impactful.” He added, “Surprisingly enough, this piece of code has been present since Magento 1.x.”

The bug has a CVSS score of 9.0 and affects Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1.

Researchers at Sucuri Security, for their part, focused on a SQL injection issue in Magento Core in its analysis of Magento’s 37 patches. It warned the bug is rated critical (CVSS 8.8) and “very easy” to exploit remotely.

“[This] SQL injection vulnerability… can be exploited without any form of privilege or authentication. Given the sensitive nature of the data Magento e-commerce sites handle on a daily basis, this is a security threat that should be patched by affected site owners as soon as possible,” wrote Marc-Alexandre Montpas, a Sucuri researcher.

The affected Magento Core versions are 2.1 prior to 2.1.17, 2.2 prior to 2.2.8 and 2.3 prior to 2.3.1.

According to the v3.0 standards of the Common Vulnerability Scoring System, Magento released four critical patches, four high severity patches and 26 medium severity bugs and three low severity bugs in the patch roundup.

Don’t miss the free replay of our Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub.”

Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.

Suggested articles