Multiple vulnerabilities in Magento products

1) Remote code execution

EUVDB-ID: #VU8453

Risk: High

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Amber]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.

The weakness exists due to unknown error.  A remote attacker can introduce malicious code when creating a new CMS Page and execute arbitrary code.

The vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.

Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.6

Magento Open Source: 1.9.0.0 - 1.9.3.5

• cpe:2.3:a:adobe:magento_commerce:1.14.3.5:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.0.8:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.6:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento:1.9.3.5:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update
(APPSEC-1800: Remote Code Execution vulnerability in CMS and layouts)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Cross-site request forgery

EUVDB-ID: #VU8454

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

The vulnerability allows a remote authenticated attacker to perform CSRF attack.

The weakness exists due to improper input validation in the customer group. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.

The vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.

Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.6

Magento Open Source: 1.9.0.0 - 1.9.3.5

• cpe:2.3:a:adobe:magento_commerce:1.14.3.5:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.0.8:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.6:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento:1.9.3.5:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update
(APPSEC-1852: CSRF + Stored Cross Site Scripting (customer group))

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Stored XSS

EUVDB-ID: #VU8455

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

Exploit availability: No

The disclosed vulnerability allows a remote authenticated attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks

The vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.
(APPSEC-1494: AdminNotification Stored XSS)

Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.6

Magento Open Source: 1.9.0.0 - 1.9.3.5

• cpe:2.3:a:adobe:magento_commerce:1.14.3.5:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.0.8:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.6:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento:1.9.3.5:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Remote code execution

EUVDB-ID: #VU8456

Risk: High

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Amber]

CVE-ID: N/A

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.

The weakness exists due to executable scripting uploads in non Apache installation. A remote attacker can execute arbitrary code.

The vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.

Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.6

Magento Open Source: 1.9.0.0 - 1.9.3.5

• cpe:2.3:a:adobe:magento_commerce:1.14.3.5:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.0.8:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.6:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento:1.9.3.5:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update
(APPSEC-1793: Potential file uploads solely protected by .htaccess)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Cross-site request forgery

EUVDB-ID: #VU8457

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

The vulnerability allows a remote authenticated attacker to perform CSRF attack.

The weakness exists due to improper input validation in the newsletter template. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.

The vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.

Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.6

Magento Open Source: 1.9.0.0 - 1.9.3.5

• cpe:2.3:a:adobe:magento_commerce:1.14.3.5:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.0.8:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.6:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento:1.9.3.5:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update
(APPSEC-1853: CSRF + Stored Cross Site Scripting in newsletter template)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Cross-site scripting

EUVDB-ID: #VU8458

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The disclosed vulnerability allows a remote administrator attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

The vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.

Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.6

Magento Open Source: 1.9.0.0 - 1.9.3.5

• cpe:2.3:a:adobe:magento_commerce:1.14.3.5:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.0.8:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.6:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento:1.9.3.5:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update
(APPSEC-1729: XSS in admin order view using order status label in Magento)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Information disclosure

EUVDB-ID: #VU8459

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

The disclosed vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can craft a URL request on a Magento site during checkout and retrieve information about past orders.

The vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.

Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.6

Magento Open Source: 1.9.0.0 - 1.9.3.5

• cpe:2.3:a:adobe:magento_commerce:1.14.3.5:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.0.8:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.6:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento:1.9.3.5:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update
(APPSEC-1588: Order Item Custom Option Disclosure)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Information disclosure

EUVDB-ID: #VU8460

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

The disclosed vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to incorrect handling of autocomplete by several fields in the Admin panel. A remote attacker can obtain arbitrary data when a browser tries to autocomplete the field.

The vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.

Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.6

Magento Open Source: 1.9.0.0 - 1.9.3.5

• cpe:2.3:a:adobe:magento_commerce:1.14.3.5:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.0.8:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.6:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento:1.9.3.5:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update
(APPSEC-1599: Admin login does not handle autocomplete feature correctly)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Path traversal

EUVDB-ID: #VU8461

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

The vulnerability allows a remote authenticated attacker to view contents of arbitrary files on the system.

The vulnerability exists due to insufficient input validation in theme creation function. A remote administrator with limited privileges can view or delete arbitrary files on the target system.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1887: Arbitrary File Disclose)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Path traversal

EUVDB-ID: #VU8462

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

The vulnerability allows a remote authenticated attacker to view contents of arbitrary files on the system.

The vulnerability exists due to insufficient input validation in Delete Files module. A remote administrator with limited privileges can view or delete arbitrary files on the target system.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1850: Arbitrary File Delete)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Path traversal

EUVDB-ID: #VU8463

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

The vulnerability allows a remote authenticated attacker to view contents of arbitrary files on the system.

The vulnerability exists due to insufficient input validation in Magento functional tests. A remote administrator with limited privileges can delete arbitrary files or execute arbitray commands on vulnerable system.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1851: Arbitrary file delete + Lack of input sanitization leading to Remote Code Execution)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Information disclosure

EUVDB-ID: #VU8464

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

The vulnerability allows a remote attacker can gain access to potentially sensitive information.

The vulnerability exists due to insecure algorithm when generating cookies for orders. A remote attacker with access to generic order information can generate a cookie collision and obtain order information.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1567: Order history disclosure)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Path traversal

EUVDB-ID: #VU8465

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

The vulnerability allows a remote authenticated attacker to view contents of arbitrary files on the system.

The vulnerability exists due to insufficient input validation in the sitemap functionality. A remote administrator with limited privileges can use the sitemap generation tool to arbitrarily overwrite sensitive files.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1769: Overwrite a Relative Path in Sitemap)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Information disclosure

EUVDB-ID: #VU8466

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

The vulnerability allows a remote attacker can gain access to potentially sensitive information.

The vulnerability exists due to several Magento site URLs leak sensitive information that can include verbose error messages and controller location. A remote attacker can use this information to exploit other vulnerabilities.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1713: Setup pages expose sensitive data)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Open redirect

EUVDB-ID: #VU8467

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Exploit availability: No

The vulnerability allows a remote attacker to perform phishing attacks.

The vulnerability exists due to an error in redirection functionality. A remote attacker can perform a phishing attacks agains website users.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1482: Security Issue with referrer)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Stored XSS

EUVDB-ID: #VU8468

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The vulnerability allows a remote authenticated administrator to perform XSS attacks.

The vulnerability exists due to insufficient input sanitization when processing custom product attributes. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1502: Stored XSS - Add new group in Attribute set name)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Session fixation

EUVDB-ID: #VU8469

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-384 - Session Fixation

Exploit availability: No

The vulnerability allows a remote attacker to perform session fixation attacks.

The vulnerability exists due an error in session expiraton functinality. A remote attacker can login to the website through one of the expired user's sessions.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1819: Customer login authenticates two different sessions)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Information disclosure

EUVDB-ID: #VU8470

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

The vulnerability allows a remote attacker can gain access to potentially sensitive information.

The vulnerability exists due to an error in account lockout mechanism. A remote attacker can obtain Magento site's contact e-mail.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1709: Customer email emumeration through frontend login)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Cross-site request forgery

EUVDB-ID: #VU8471

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

The vulnerability allows a remote attacker to perform CSRF attacks

The vulnerability exists due to absence of CSRF protection in customer registration process. A remote attacker can perform CSRF attacks and create arbitrary number of user accounts on the website.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1802: Customer registration through frontend does not have anti-CSRF protection)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Stored XSS

EUVDB-ID: #VU8472

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The vulnerability allows a remote authenticated administrator to perform XSS attacks.

The vulnerability exists due to insufficient input sanitization when processing page titles. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1493: CMS Page Title Stored XSS)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Cross-site request forgery

EUVDB-ID: #VU8473

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

The vulnerability allows a remote attacker to perform CSRF attacks

The vulnerability exists due to anti-CSRF form_key token is not changed after user login. A remote attacker can intercept the token before authorization and perform CSRF attacks  against website users.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1755: Anti-CSRF form_key is not changed after login)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Information disclosure

EUVDB-ID: #VU8474

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

The vulnerability allows a remote attacker can gain access to potentially sensitive information.

The vulnerability exists due to the Magento email replies to product requests expose the system path of the Magento installation. A remote attacker can leverage the system path to enable the use of other vulnerabilities.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1628: Full Path Disclosure Web Root Directory)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Stored XSS

EUVDB-ID: #VU8475

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The vulnerability allows a remote authenticated administrator to perform XSS attacks.

The vulnerability exists due to insufficient input sanitization when processing email templates. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1775: Stored Cross-Site Scripting in email template bypass)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Information disclosure

EUVDB-ID: #VU8476

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

The vulnerability allows a remote attacker can gain access to potentially sensitive information.

The vulnerability exists due to unknown error. A remote attacker can visit an internal URL and see the status of a Magento upgrade.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1630: Anonymous users can view upgrade progress updates)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Stored XSS

EUVDB-ID: #VU8477

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The vulnerability allows a remote authenticated administrator to perform XSS attacks.

The vulnerability exists due to insufficient input sanitization when processing product thumbnails. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1591: Stored XSS on product thumbnail)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Stored XSS

EUVDB-ID: #VU8478

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The vulnerability allows a remote authenticated administrator to perform XSS attacks.

The vulnerability exists due to insufficient input sanitization when processing product thumbnails. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1545: Stored XSS through customer group name in admin panel)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Stored XSS

EUVDB-ID: #VU8479

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The vulnerability allows a remote authenticated administrator to perform XSS attacks.

The vulnerability exists due to insufficient input sanitization when processing product thumbnails. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in the integration activation in context of vulnerable website.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1577: Stored XSS in integration activation)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Stored XSS

EUVDB-ID: #VU8480

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The vulnerability allows a remote authenticated administrator to perform XSS attacks.

The vulnerability exists due to insufficient input sanitization when processing order view through the order code label. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1896: Possible XSS in admin order view using order code label)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Stored XSS

EUVDB-ID: #VU8481

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

The vulnerability allows a remote authenticated administrator to perform XSS attacks.

The vulnerability exists due to insufficient input sanitization when processing SVG images in Favicon. A remote authenticated administrator can permanently inject and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1673: Stored xss using svg images in Favicon)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Integer overflow

EUVDB-ID: #VU8482

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

The vulnerability allows a remote authenticated attacker to cause DoS condition.

The vulnerability exists due to integer overflow. A remote attacker can modify the page counter when creating a new page and cause denial of service.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1773: Injection on Page leading to DoS)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Session hijacking

EUVDB-ID: #VU8483

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-384 - Session Fixation

Exploit availability: No

The vulnerability allows a remote attacker to perform session fixation attacks.

The vulnerability exists due to Customer and Admin tokens do not expire correctly. A remote attacker can login to the website through one of the expired user's sessions.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1701: API token does not correctly expire)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Improper access control

EUVDB-ID: #VU8484

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

The vulnerability allows a remote administrator to change favicon icon for entire website.

A Magento administrator with limited privileges can update the Favicon image for the entire site.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1510: Any admin user can upload Favicon Icon)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Improper access control

EUVDB-ID: #VU8485

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to improper check of Access Control Lists in the quick edits grid. A remote attacker can bypass security restrictions and perform further attacks.

Update to version 2.0.16 or 2.1.9.

Adobe Commerce (formerly Magento Commerce): 2.0.0 - 2.1.8

• cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update (APPSEC-1535: Access Control Lists not validated when using quick edit mode in tables)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Improper access control

EUVDB-ID: #VU8486

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

The disclosed vulnerability allows a remote attacker to modify order fields.

The vulnerability exists due to improper access controls. A remote attacker can can modify order fields that they do not have permission to view.

The vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.

Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.6

Magento Open Source: 1.9.0.0 - 1.9.3.5

• cpe:2.3:a:adobe:magento_commerce:1.14.3.5:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.0.8:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento_commerce:2.1.6:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:magento:1.9.3.5:*:*:*:*:*:*:*

https://magento.com/security/patches/magento-2016-and-219-security-update
(APPSEC-1495: Any user can interact with the sales order function despite not being authorized)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.