The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Magento Open Source

vulnerability note 21394

Magento: information disclosure from weak isolation

Synthesis of the vulnerability

An attacker can bypass access restrictions to data of Magento, in order to obtain personnal information.
Impacted products: Magento EE, Magento CE.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 15/12/2016.
Identifiers: VIGILANCE-VUL-21394.

Description of the vulnerability

A Mangento server may host several shops.

However, isolation between shops hosted on the same server is incomplete. An attacker who is is authorized to view data about customers and orders for a shop can access similar records related to other shops.

An attacker can therefore bypass access restrictions to data of Magento, in order to obtain personnal information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 20865

Magento CE/EE 1: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Magento CE/EE 1.
Impacted products: Magento EE, Magento CE.
Severity: 4/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 17.
Creation date: 13/10/2016.
Identifiers: APPSEC-1058, APPSEC-1106, APPSEC-1189, APPSEC-1211, APPSEC-1247, APPSEC-1282, APPSEC-1338, APPSEC-1375, APPSEC-1436, APPSEC-1478, APPSEC-1480, APPSEC-1484, APPSEC-1488, APPSEC-1517, APPSEC-327, APPSEC-666, APPSEC-995, VIGILANCE-VUL-20865.

Description of the vulnerability

Several vulnerabilities were announced in Magento CE/EE 1.

An attacker can use a vulnerability via Checkout, in order to run code. [severity:4/4; APPSEC-1484]

An attacker can use a SQL injection via Zend Framework, in order to read or alter data. [severity:3/4; APPSEC-1480]

An attacker can trigger a Cross Site Scripting via Invitations, in order to run JavaScript code in the context of the web site. [severity:2/4; APPSEC-1488]

An attacker can bypass security features via Block Cache, in order to obtain sensitive information. [severity:3/4; APPSEC-1247]

An attacker can log in as another customer. [severity:3/4; APPSEC-1517]

An administrator attacker can use a vulnerability via import/export, in order to run code. [severity:2/4; APPSEC-1375]

An attacker can bypass access restrictions via Page Cache, in order to read or alter data. [severity:2/4; APPSEC-1338]

An attacker can trigger a Cross Site Scripting via URL Processing, in order to run JavaScript code in the context of the web site. [severity:2/4; APPSEC-1436]

An attacker can trigger a Cross Site Scripting via Categories Management, in order to run JavaScript code in the context of the web site. [severity:2/4; APPSEC-1211]

An attacker can trigger a fatal error via GIF Flooding, in order to trigger a denial of service. [severity:2/4; APPSEC-1058]

An attacker can trigger a Cross Site Scripting via Flash File Uploader, in order to run JavaScript code in the context of the web site. [severity:2/4; APPSEC-666]

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4; APPSEC-1282]

An attacker can trigger a Cross Site Request Forgery, in order to force the victim to perform operations. [severity:2/4; APPSEC-327]

An attacker can trigger a Cross Site Request Forgery via Wishlist, in order to force the victim to perform operations. [severity:2/4; APPSEC-1189]

Session does not expire on logout. [severity:2/4; APPSEC-1478]

An attacker can act as a Man-in-the-Middle, in order to read or write data in the session. [severity:2/4; APPSEC-1106]

An attacker can use a Timing Attack, in order to obtain sensitive information. [severity:1/4; APPSEC-995]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2016-10704 CVE-2018-5301

Magento CE/EE 2: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Magento CE/EE 2.
Impacted products: Magento EE, Magento CE.
Severity: 4/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 15.
Creation date: 13/10/2016.
Identifiers: APPSEC-1212, APPSEC-1270, APPSEC-1329, APPSEC-1338, APPSEC-1433, APPSEC-1478, APPSEC-1480, APPSEC-1481, APPSEC-1484, APPSEC-1488, APPSEC-1490, APPSEC-1503, APPSEC-1533, APPSEC-1539, APPSEC-1543, CVE-2016-10704, CVE-2018-5301, VIGILANCE-VUL-20864.

Description of the vulnerability

Several vulnerabilities were announced in Magento CE/EE 2.

An attacker can trigger a Cross Site Request Forgery via Mini Cart, in order to force the victim to perform operations. [severity:2/4; APPSEC-1212]

An attacker can bypass security features via Guest Order, in order to obtain sensitive information. [severity:3/4; APPSEC-1270]

An attacker can bypass security features via Maintenance Mode, in order to obtain sensitive information. [severity:2/4; APPSEC-1329]

An attacker can bypass access restrictions via Page Cache, in order to read or alter data. [severity:2/4; APPSEC-1338]

An attacker can trigger a Cross Site Request Forgery, in order to force the victim to perform operations. [severity:2/4; APPSEC-1433]

Session does not expire on logout. [severity:2/4; APPSEC-1478]

An attacker can use a SQL injection via Zend Framework, in order to read or alter data. [severity:3/4; APPSEC-1480]

An attacker can create a backup. [severity:1/4; APPSEC-1481]

An attacker can use a vulnerability via Checkout, in order to run code. [severity:4/4; APPSEC-1484]

An attacker can trigger a Cross Site Scripting via Invitations, in order to run JavaScript code in the context of the web site. [severity:2/4; APPSEC-1488]

An attacker can use a vulnerability via Local File Inclusion, in order to run code. [severity:2/4; APPSEC-1490]

An attacker can trigger a Cross Site Scripting via Email Templates, in order to run JavaScript code in the context of the web site. [severity:2/4; APPSEC-1503]

An attacker can order an item with an altered price. [severity:4/4; APPSEC-1533]

An attacker can trigger a Cross Site Scripting via Section Loading, in order to run JavaScript code in the context of the web site. [severity:2/4; APPSEC-1539]

An attacker can log out the administrator, in order to trigger a denial of service. [severity:2/4; APPSEC-1543]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 20041

Magento Community Edition: vulnerability

Synthesis of the vulnerability

Vulnerabilities of Magento Community Edition have been announced.
Impacted products: Magento EE, Magento CE.
Severity: 3/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Creation date: 07/07/2016.
Identifiers: VIGILANCE-VUL-20041.

Description of the vulnerability

Vulnerabilities of Magento Community Edition have been announced.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2016-4010

Magento: six vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Magento.
Impacted products: Magento EE, Magento CE.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, client access/rights, data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 6.
Creation date: 18/05/2016.
Revision date: 19/05/2016.
Identifiers: APPSEC-1389, APPSEC-1408, APPSEC-1410, APPSEC-1420, APPSEC-1421, APPSEC-1422, CVE-2016-4010, VIGILANCE-VUL-19649.

Description of the vulnerability

Several vulnerabilities were announced in Magento.

An attacker can use the REST/SOAP API, in order to run PHP code. [severity:3/4; APPSEC-1420, CVE-2016-4010]

An attacker can use a vulnerability in Unauthenticated Reinstallation, in order to run code. [severity:3/4; APPSEC-1421]

An attacker can modify accounts of other users, in order to escalate his privileges. [severity:2/4; APPSEC-1422]

An attacker can trigger a Cross Site Scripting in Authorize.net, in order to run JavaScript code in the context of the web site. [severity:2/4; APPSEC-1410]

An attacker can bypass security features via quote_id_mask, in order to obtain sensitive information. [severity:2/4; APPSEC-1408]

An attacker can read error messages, in order to obtain sensitive information. [severity:2/4; APPSEC-1389]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 19468

Magento SmartWave QuickView: SQL injection

Synthesis of the vulnerability

An attacker can use a SQL injection of Magento SmartWave QuickView, in order to read or alter data.
Impacted products: Magento EE, Magento CE.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 27/04/2016.
Identifiers: VIGILANCE-VUL-19468.

Description of the vulnerability

The Magento SmartWave QuickView product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection of Magento SmartWave QuickView, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 19467

Magento MD Quickview: SQL injection

Synthesis of the vulnerability

An attacker can use a SQL injection of Magento MD Quickview, in order to read or alter data.
Impacted products: Magento EE, Magento CE.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 27/04/2016.
Identifiers: VIGILANCE-VUL-19467.

Description of the vulnerability

The Magento MD Quickview product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection of Magento MD Quickview, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 19466

Magento Extreme Magento Quickshop: SQL injection

Synthesis of the vulnerability

An attacker can use a SQL injection of Magento Extreme Magento Quickshop, in order to read or alter data.
Impacted products: Magento EE, Magento CE.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 27/04/2016.
Identifiers: VIGILANCE-VUL-19466.

Description of the vulnerability

The Magento Extreme Magento Quickshop product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection of Magento Extreme Magento Quickshop, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 19465

Magento Extreme Magento Ajaxcart: SQL injection

Synthesis of the vulnerability

An attacker can use a SQL injection of Magento Extreme Magento Ajaxcart, in order to read or alter data.
Impacted products: Magento EE, Magento CE.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 27/04/2016.
Identifiers: VIGILANCE-VUL-19465.

Description of the vulnerability

The Magento Extreme Magento Ajaxcart product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection of Magento Extreme Magento Ajaxcart, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 19272

Magento: five vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Magento.
Impacted products: Magento EE, Magento CE.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 31/03/2016.
Identifiers: VIGILANCE-VUL-19272.

Description of the vulnerability

Several vulnerabilities were announced in Magento.

An attacker can trigger a Cross Site Scripting in Authorize.net, in order to run JavaScript code in the context of the web site. [severity:2/4]

An attacker can invite the victim to install a malicious Language Pack, in order to run PHP code. [severity:2/4]

An attacker can use the API Token, in order to perform a brute force to guess a password. [severity:2/4]

An attacker can bypass security features in the Web API, in order to obtain sensitive information. [severity:2/4]

An attacker can guess encryption keys, in order to obtain sensitive information. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Magento Open Source: