Description

Check Point researchers discovered a critical RCE (remote code execution) vulnerability in the Magento web e-commerce platform that can lead to the complete compromise of any Magento-based store, including credit card information as well as other financial and personal data.

Remediation

A patch to address the flaws was released on February 9, 2015 (SUPEE-5344). Install this patch or upgrade to the latest version of Magento.

References

Analyzing the Magento Vulnerability

Magento Community Edition Patches

Related Vulnerabilities

WordPress Plugin BJ Lazy Load Remote Code Execution (0.7.5)

Code Evaluation (Apache Struts) S2-045

WordPress Plugin Newsletter Subscription Form Possible Remote Code Execution (1.1.2)

WordPress Plugin wSecure Lite Remote Code Execution (2.3)

WordPress Plugin WordPress Shortcodes-Shortcodes Ultimate Remote Code Execution (5.0.0)

Severity

High

Classification

CVE-2015-1397 CVE-2015-1398 CVE-2015-1399 CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Code Execution