Attackers are actively exploiting a recently repaired SQL injection fault impacting the popular open-source e-commerce platform Magento. Therefore, if you haven’t executed the provided security update or patch, you can do it now.
While the vulnerability still has no CVE number, Magento security team has identified it as PRODSECBUG-2198.
The team said that an unverified user can perform random code through an SQL injection flaw, which causes sensitive data leakage.
The bug impacts Magento Open Source prior to 126.96.36.199, Magento Commerce prior to 188.8.131.52, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, and Magento 2.3 prior to 2.3.1.
Administrators of Magento-based sites are advised to upgrade to Magento Open Source 184.108.40.206 or Magento Commerce 220.127.116.11 (if not, to implement the SUPEE-11086 bundle of patches), Magento 2.2.8, or Magento 2.3.1.
The team further said that cloud customers can upgrade ECE-Tools to version 2002.0.17 to get this flaw in main application repaired automatically, adding that infrastructure team added measures to block any presently known ways to exploit the susceptibility by adding more WAF rules, which are deployed all over the world.
Charles Fol, a security engineer at Ambionics, discovered PRODSECBUG-2198, while the security updates and patches were released two weeks ago (on March 26).
The exploitation attempts have seemingly been driven by the publication of a PoC exploit and other susceptibility information a few days after the patches’ release.
In addition to this vulnerability, the security updates provided by Magento resolved another 36 issues, some of them serious.