Magento

Security researchers from DefenseCode have released on Wednesday proof-of-concept code for two Magento vulnerabilities patched last month.

The PoCs are included in two advisories the company released for two vulnerabilities researchers discovered in Magento's open-source and cloud-hosted platforms. Both vulnerabilities are a combo of CSRF+XSS bugs (CSRF = cross-site request forgery, XSS = cross-site scripting).

The vulnerabilities affect the Magento's Customer Groups and Newsletter Templates features. The published exploit code allows attackers to take over admin accounts.

Social engineering and user interaction are needed to convince a store owner to click on a link to access a booby-trapped URL, albeit this shouldn't be that hard in this day and age.

Magento issued patches for both security flaws in mid-September when it released the Magento 2.0.16 and 2.1.9 versions (APPSEC-1852 and APPSEC-1853).

The vulnerabilities are part of a set of 34 issues Magento fixed in last month's update train. The availability of a detailed PoC should be enough to push store admins to update their platforms, if they haven't done so already.

Magento is not a very popular CMS when compared to WordPress or Drupal, but unlike other CMSs, due to its nature, it's often one of the most targeted platforms because it handles vast amounts of payment card data. Magento estimates that over 200,000 retailers use its platform.