The vast majority of 300,000+ Magento stores are running vulnerable versions. On March 26 Magento launched SUPEE-11086 which contains multiple security enhancements that fix remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities. Patch it now!
But let’s dive deeper and discover its PRODSECBUG-2198 patch
PRODSECBUG-2198 prevents SQL Injection vulnerability through an unauthenticated user, which causes sensitive data leakage. Through that black hole hackers could penetrate Magento Admin Panel, place malicious code on the storefront and collect customer credit card data.
We’ve noticed results of that vulnerability 2 years ago and developed security monitoring tool WatchDogs, that detects and immediately notify store owner about injected malicious code (so it covers more than just this particular case, but all other similar cases as well, but it doesn’t prevent injection itself). Unfortunately, we were unable to identify the root cause at that time and it took Magento some time to figure it out and fix it as well.
What web stores are under the risk?
Magento Open Source prior to 184.108.40.206, and Magento Commerce prior to 220.127.116.11, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
What is the worst scenario?
- victim customers lose money
- it negatively affects the reputation of the web store
- business loses customers
- frozen merchant account (Visa, MasterCard, Stipe, Paypal, or any other payment gateway)
- fine for hundreds of thousands of dollars in damages
- business disruption
How to protect the Magento store and keep the business?
A. Upgrade to the latest Magento version B. Install Security patches routinely. Updating Magento version on regular base can be quite expensive so patching can be a good solution. Check uninstalled security patches with magereport.com C. Monitor security constantly. Check default Magento Security Scan, use third-party monitoring tools like WatchDogs, Sucuri, etc.
Patch your Magento now or contact your Magento development team to help with it ASAP. And let’s rock eCommerce without interruptions!