High Risk 0-day Vulnerability Found in Magento eCommerce
During the security audit of Magento Community Edition, a highly popular e-commerce platform, a high risk vulnerability was discovered that could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information. The vulnerability is based around an arbitrary file upload combined with a cross-site request forgery (CSRF) vulnerability as a main attack vector.
Despite the efforts of our team in notifying the vendor on more than one occasion since November 2016, the vulnerability remains unpatched.
Full vulnerability details are published as an advisory.
- Latest Generation of Dynamic Application Security Testing solution from DefenseCode – WebStrike
- Ubiquitous AI Corporation appointed as DefenseCode’s partner
- DefenseCode announces GitHub Action to provide SAST solution for developers
- DefenseCode ThunderScan® SAST 2.1.0 added support for Go and ABAP languages
- ThunderScan® Enterprise SAST Now Supports Linux