CSRF and XSS in Magento
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | N/A |
| CWE-ID | CWE-352 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Magento Open Source Web applications / E-Commerce systems Adobe Commerce (formerly Magento Commerce) Web applications / E-Commerce systems |
| Vendor | Adobe |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Cross-site request forgery
EUVDB-ID: #VU8712
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform CSRF attack.
The vulnerability exists due to incorrect validation of the HTTP request origin in Customer Groups functionality when an HTTP POST request is changed to HTTP GET on saving changes to existing groups (/customer/group/save/). The web application ignores "form_key" parameter in HTTP GET request, which allows a remote attacker to create arbitrary customer groups.
Update to version 1.9.3.6, 1.14.3.6, 2.0.16 or 2.1.9.
Magento Open Source: 1.9.0.0 - 1.9.3.5
Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.8
CPE2.3- cpe:2.3:a:adobe:magento:1.9.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento_commerce:1.14.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*
https://www.defensecode.com/advisories/DC-2017-09-001_Magento_CSRF_Stored_Cross_Site_Scripting.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Stored Cross-site scripting
EUVDB-ID: #VU8713
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform XSS attack.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via Group Name parameter (code). A remote authenticated attacker can permanently inject and execute arbitrary HTML code in victims browser. The exploit code will be present on several pages when the customer group is shown (on viewing individual orders, individual customers, etc).
This vulnerability can be exploited in chain with CSRF vulnerability, described in this advisory.
Update to version 1.9.3.6, 1.14.3.6, 2.0.16 or 2.1.9.
Magento Open Source: 1.9.0.0 - 1.9.3.5
Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 2.1.8
CPE2.3- cpe:2.3:a:adobe:magento:1.9.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento_commerce:1.14.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento_commerce:2.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento_commerce:2.1.8:*:*:*:*:*:*:*
https://www.defensecode.com/advisories/DC-2017-09-001_Magento_CSRF_Stored_Cross_Site_Scripting.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
