Magento users advised to install latest update to thwart attacks exploiting remote code execution security flaw
The security flaw enables attackers to inject a malicious payload into a merchant's website site
Magento has urged users to apply the latest security update to protect their ecommerce sites from potential attacks exploiting a remote code execution (RCE) security flaw.
"Because most exploits tend to target software installations that are not up-to-date with the latest security updates, we always strongly recommend that users install security updates as soon as they are available," Piotr Kaminski from the Magento Security Team warned in an online post.
The vulnerability, indexed as CVE-2019-8144, is a RCE bug that could allow an attacker to inject a malicious payload into a merchant's website site through PageBuilder template methods and then execute the payload.
The security flaw affects Magento Commerce 2.3.1, Magento Commerce 2.3.2, and unsupported versions of Page Builder. The issue was fixed in the Magento 2.3.3 and Magento 2.3.2-p2 security-only patches that were released on 8th October 2019.
Magento 2.3.1 merchants should first install the MDVA-22979_EE_2.3.1_v1 patch and then schedule the upgrade to 2.3.2-p2 or 2.3.3.
Magento 2.3.2 users should install MDVA-22979_EE_2.3.2_v1 patch and then schedule the upgrade to 2.3.2-p2 or 2.3.3.
Magento users can download the patches from their accounts.
The platform is also advising merchants to review the security of their Magento website to ensure that it was not compromised before applying the latest security patches as those patches won't mitigate the effects stemming from earlier attacks.
Cloud customers need not take any action as they are already protected from potential attacks arising due to CVE-2019-8144 vulnerability.
However, for some time, admins won't be able to view previews for products, blocks, and dynamic blocks.
Magento says it will "re-enable the preview functionality as soon as possible."
In March, researchers at security firm Sucuri found a critical vulnerability in the Magento, which left nearly 300,000 online retailers at risk of card-skimming attacks.
The researchers said this PRODSECBUG-2198 SQL injection vulnerability could allow cyber-crooks to launch devastating attacks and hijack accounts without authentication.
The bug was given a score of 8.8 out of ten by experts at Sucuri, who claimed that it would be "very easy" for attackers to exploit this vulnerability remotely.
The issue affected 2.1 before 2.1.17, 2.2 before 2.2.8 and 2.3 before 2.3.1 for both the open source and commercial versions of Magento.
In May, security researchers at Malwarebytes uncovered a new rogue iFrame phishing technique targeting online payments.
The researchers said that the new technique allows attackers to inject malicious code into every page of a hacked website, then asking customers to enter their credit card information.