Magento security flaw exposed – have you fixed it?

If you run a Magento driven webstore or ecommerce site it’s time to make sure that you’re running a protected version of the system because a significant security flaw has be revealed. And if you don’t run the site personally, it’s a good idea to get in touch with your supplier to make sure you’re sorted. They may well have been in touch already.

Here’s what Magento says of the flaw: “During customer registration on the storefront, a user can provide an email address that contains JavaScript code. Magento does not properly validate this email and executes it in Admin context when viewing the order in the backend. This JavaScript code can steal an administrator session or act on behalf of a store administrator.”

Apparently both versions 1 and 2 of Magento are affected and the problem can be exploited just by registering with a ‘spiked’ username or email address. That means there can be vulnerability from an automated hack attack. The risks means that a Magento store can effectively be hijacked meaning user data like passwords and payment details could be at risk.

Here are the two security updates you need to familiarise yourself with:

https://magento.com/security/patches/supee-7405

https://magento.com/security/patches/magento-201-security-update

Were you aware of these problems and have you been affected? Hopefully not.