Magento security flaw exposed – have you fixed it?

By Dan Wilson February 2, 2016 - 11:18 am

If you run a Magento driven webstore or ecommerce site it’s time to make sure that you’re running a protected version of the system because a significant security flaw has be revealed. And if you don’t run the site personally, it’s a good idea to get in touch with your supplier to make sure you’re sorted. They may well have been in touch already.

Here’s what Magento says of the flaw: “During customer registration on the storefront, a user can provide an email address that contains JavaScript code. Magento does not properly validate this email and executes it in Admin context when viewing the order in the backend. This JavaScript code can steal an administrator session or act on behalf of a store administrator.”

Apparently both versions 1 and 2 of Magento are affected and the problem can be exploited just by registering with a ‘spiked’ username or email address. That means there can be vulnerability from an automated hack attack. The risks means that a Magento store can effectively be hijacked meaning user data like passwords and payment details could be at risk.

Here are the two security updates you need to familiarise yourself with:

Were you aware of these problems and have you been affected? Hopefully not.

Comments are closed.

Recent Comments

3 hours ago
Lee Pearce: We are getting the tracking for Large Letter items now, started a couple of weeks...
4 hours ago
James: Thats okay, I just thought I would double check, yes I think they pulled all...
6 hours ago
Raj: Royalmail Delivery confirmation with 2D barcode is only for parcels. Letters and large letters sent...
7 hours ago
Eggyplops: Isn't that a screenshot from the 'Money For Nothing' video by Dire Straits..?...
7 hours ago
Andy R: The 2 key benefits of schemes e.g., the Flat Rate Scheme, are that you get...