It has come to our attention at 121ecommerce that a new group of vulnerabilities have been discovered on several Magento products. This essentially translates to hackers using SQL injection methods to hack into and take over the Magento admin.
SUPEE-7405 fixes these high-risk to critical security issues. According to Magento’s security release, this patch is actually a bundle of patches for Magento 1.x stores.
It is reported that this Cross-site Scripting critical vulnerability is a leak during customer registration on the storefront. The hacker can steal an administrator session or act on behalf of a store administrator via this leak.
Any store on a Magento CE platform earlier than 1.9.2.3 and Magento EE earlier than 1.14.2.3 is affected. Later Magento versions are not at risk.
This critical vulnerability allows hackers access to an admin takeover via comments appended to an order that could potentially be read by Magento as JavaScript code. The attack would be executed server-side when the administrator attempts to view the order.
Any store on a Magento CE platform earlier than 1.9.2.3 and Magento EE earlier than 1.14.2.3, as well as Magento 2 CR & EE earlier than 2.0.1 is affected. Later Magento versions are not at risk.
Above we detailed the Critical Severity issues this SUPEE-7405 magento security patch fixes. Below is a list of the High Severity issues fixed the by the patch:
An additional 10 medium-risk vulnerabilities and 4 low-risk vulnerabilities were fixed in this SUPEE7405 Magento security patch.
You can scan your site to see if it is vulnerable by checking your website URL on this site: https://www.magereport.com/
Have questions? Concerns about the security of your Magento site? Contact us to ascertain the safety of your website.