|CERT-In Vulnerability Note
Multiple Vulnerabilities in Magento
Original Issue Date:June 29, 2020
Severity Rating: HIGH
- Magento Commerce 1 (Magento Enterprise Edition) 126.96.36.199 and earlier
- Magento Open Source 1 (Magento Community Edition) 188.8.131.52 and earlier
Multiple vulnerabilities have been reported in Magento 1 which could allow an attacker with administrative privileges to execute arbitrary code or gain access to sensitive information on a targeted system.
1. PHP Object Injection Vulnerability
This vulnerability exists in Magento due to an error which allows PHP Object Injection. PHP Object Injection can be exploited via crafted user supplied input which is not sanitized properly before being passed to the unserialize() PHP function.
Successful exploitation of this vulnerability could allow an attacker with administrative privileges to execute arbitrary code on the targeted system.
2. Stored Cross-Site Scripting Vulnerability
This vulnerability exists in Magento due to an error which allows Stored Cross-Site Scripting. Stored Cross-Site Scripting can be performed by injecting a specially crafted script into a webpage of an affected system.
Successful exploitation of this vulnerability could allow an attacker with administrative privileges to gain access to sensitive information on the targeted system.
Update to the latest versions as available at the following URL:
Note: Support for Magento Commerce 1.14 and Magento Open Source 1 is ending in June 2020. Users are advised to upgrade to Magento 2.x.
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003