The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Magento EE

vulnerability bulletin 25393

Magento: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Magento.
Impacted products: Magento EE, Magento CE.
Severity: 3/4.
Consequences: administrator access/rights, client access/rights, data reading, data deletion.
Provenance: document.
Creation date: 28/02/2018.
Identifiers: CERTFR-2018-AVI-103, DC-2018-03-001, DC-2018-03-002, DC-2018-03-003, DC-2018-03-004, VIGILANCE-VUL-25393.

Description of the vulnerability

An attacker can use several vulnerabilities of Magento.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 24556

Magento: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Magento.
Impacted products: Magento EE, Magento CE.
Severity: 4/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: internet client.
Creation date: 28/11/2017.
Identifiers: CERTFR-2017-AVI-434, SUPEE-10415, VIGILANCE-VUL-24556.

Description of the vulnerability

An attacker can use several vulnerabilities of Magento.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 24376

Magento: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Magento.
Impacted products: Magento EE, Magento CE.
Severity: 3/4.
Consequences: privileged access/rights, client access/rights, data reading, data deletion.
Provenance: internet client.
Creation date: 08/11/2017.
Identifiers: CERTFR-2017-AVI-397, VIGILANCE-VUL-24376.

Description of the vulnerability

An attacker can use several vulnerabilities of Magento.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 24264

Magento: information disclosure via local.xml

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via local.xml of Magento not installed with Apache httpd (for example nginx), in order to obtain sensitive information.
Impacted products: Magento EE, Magento CE.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 30/10/2017.
Identifiers: VIGILANCE-VUL-24264.

Description of the vulnerability

An attacker can bypass access restrictions to data via local.xml of Magento not installed with Apache httpd (for example nginx), in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 23843

Magento: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Magento.
Impacted products: Magento EE, Magento CE.
Severity: 3/4.
Consequences: user access/rights, client access/rights, data reading, data creation/edition.
Provenance: internet client.
Creation date: 15/09/2017.
Identifiers: CERTFR-2017-AVI-303, DC-2017-09-001, DC-2017-09-002, VIGILANCE-VUL-23843.

Description of the vulnerability

An attacker can use several vulnerabilities of Magento.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 22878

Magento: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Magento.
Impacted products: Magento EE, Magento CE.
Severity: 4/4.
Consequences: administrator access/rights, privileged access/rights, client access/rights, data reading, data creation/edition.
Provenance: document.
Creation date: 01/06/2017.
Identifiers: VIGILANCE-VUL-22878.

Description of the vulnerability

An attacker can use several vulnerabilities of Magento.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 22432

Magento: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of Magento, in order to force the victim to perform operations.
Impacted products: Magento EE, Magento CE.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 13/04/2017.
Identifiers: VIGILANCE-VUL-22432.

Description of the vulnerability

The Magento product offers a web service.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of Magento, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2016-10034

Zend Framework: code execution via zend-mail

Synthesis of the vulnerability

An attacker can use a vulnerability via zend-mail of Zend Framework, in order to run code.
Impacted products: Fedora, Magento EE, Magento CE, Zend Framework.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 21/12/2016.
Identifiers: APPSEC-1746, CVE-2016-10034, FEDORA-2016-1185de6aa6, FEDORA-2016-a6e72e28e1, VIGILANCE-VUL-21440, ZF2016-04.

Description of the vulnerability

An attacker can use a vulnerability via zend-mail of Zend Framework, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 21394

Magento: information disclosure from weak isolation

Synthesis of the vulnerability

An attacker can bypass access restrictions to data of Magento, in order to obtain personnal information.
Impacted products: Magento EE, Magento CE.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 15/12/2016.
Identifiers: VIGILANCE-VUL-21394.

Description of the vulnerability

A Mangento server may host several shops.

However, isolation between shops hosted on the same server is incomplete. An attacker who is is authorized to view data about customers and orders for a shop can access similar records related to other shops.

An attacker can therefore bypass access restrictions to data of Magento, in order to obtain personnal information.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 21123

Magento EE: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Magento EE.
Impacted products: Magento EE.
Severity: 2/4.
Consequences: user access/rights, client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 15/11/2016.
Identifiers: VIGILANCE-VUL-21123.

Description of the vulnerability

Several vulnerabilities were announced in Magento EE.

An attacker can trigger a Cross Site Request Forgery via Form Key, in order to force the victim to perform operations. [severity:2/4]

An attacker can trigger a Cross Site Scripting via Category, in order to run JavaScript code in the context of the web site. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Magento EE: