eBay Fixes Vulnerabilities In Magento E-Commerce Platform

eBay fixes flaws

E-commerce giant eBay has announced that it has patched three critical security vulnerabilities in it's e-commerce system Magento that could have allowed remote hackers to inject malicious scripts to the application-side of the vulnerable online-service module.

"The vulnerability is located in the 'general_front' values of the '/css/theme.less.php' front-end template file. Remote attackers are able to inject own script codes to client-side application requests, " the advisory says.

Security researcher Hadji Samior, who discovered the flaws said, the XSS vulnerability in Magento allows hackers to conduct "client-side account theft by hijacking, client-side phishing, client-side external redirects and the non-persistent manipulation of affected or connected service modules."
The second vulnerability relates to input validation, and can be exploited by hackers with low privilege user accounts on the application side.

The third security issue is a client-side CSRF vulnerability, which allows remote attackers with low privilege user accounts to delete the internal Magento messages of other users.

Here is a video demonstrating the Cross Site Request Forgery Vulnerability in Magento:

No comments

Powered by Blogger.