Magento security flaw exposed – have you fixed it?

By Dan Wilson February 2, 2016 - 11:18 am

If you run a Magento driven webstore or ecommerce site it’s time to make sure that you’re running a protected version of the system because a significant security flaw has be revealed. And if you don’t run the site personally, it’s a good idea to get in touch with your supplier to make sure you’re sorted. They may well have been in touch already.

Here’s what Magento says of the flaw: “During customer registration on the storefront, a user can provide an email address that contains JavaScript code. Magento does not properly validate this email and executes it in Admin context when viewing the order in the backend. This JavaScript code can steal an administrator session or act on behalf of a store administrator.”

Apparently both versions 1 and 2 of Magento are affected and the problem can be exploited just by registering with a ‘spiked’ username or email address. That means there can be vulnerability from an automated hack attack. The risks means that a Magento store can effectively be hijacked meaning user data like passwords and payment details could be at risk.

Here are the two security updates you need to familiarise yourself with:

Were you aware of these problems and have you been affected? Hopefully not.

Comments are closed.

Recent Comments

3 hours ago
JD: Global Credit card and debit card fraud resulted in losses amounting to $21.84 billion during...
5 hours ago
Northumbrian: Credit card frauds not perculiar to the UK So what’s the rest of the worlds answer...
6 hours ago
JD: 'Remember that offering free delivery on Ebay gives a slight boost in visibility under Best...
6 hours ago
JD: And whoever takes the hit it will all come back to us in higher prices...