- The e-commerce platform released patches for both Magento Commerce and Magento Open Source variants.
- The SQL flaw found in versions 2.3.1 and earlier could allow attackers to steal sensitive information from databases connected to Magento-based sites.
Content management software provider Magento has released a string of updates to fix multiple security holes in its platform. These updates come after the platform was targeted in a number of attacks since February.
One critical flaw that was addressed with the updates is a SQL-injection bug that could allow attackers to execute malicious codes, and obtain sensitive information from databases used by Magento-based sites.
The big picture
- The new versions 2.3.1, 2.2.8 and 2.1.17 fix the security vulnerabilities discovered in both Magento Commerce as well as Magento Open Source.
- In the advisory published by Magento, online sites using versions below Magento 2 are advised to move to Magento Commerce & Open Source.
- The SQL-injection bug, designated as ‘PRODSECBUG-2198’ by Magento, could allow an unauthenticated user to run malicious arbitrary code and subsequently steal sensitive data. As of now, no technical details are available for this bug.
- Other bugs that were patched include remote code execution, cross-site scripting, privilege escalation, cross-site request forgery, and information disclosure flaws.
Databases at risk
Since SQL injections corrupt databases, Magento users are advised to update to the latest versions as soon as possible.
“Unauthenticated attacks, like the one seen in this particular SQL Injection vulnerability, are very serious because they can be automated — making it easy for hackers to mount successful, widespread attacks against vulnerable websites,” Sucuri stated in its blog.