Critical Magento SQL injection flaw could be targeted by hackers soon

The Magento content management system used by thousands of online shops has received fixes for several serious vulnerabilities, including an unauthenticated SQL injection flaw that’s likely to soon become a target for attackers.

Magento, an Adobe-owned company since 2018, released security patches for 37 security issues affecting both the commercial and open-source versions of its platform. Exploitation of the flaws can enable remote code execution, SQL injection, cross-site scripting, privilege escalation, information disclosure and spamming.

Four vulnerabilities have a score higher than 9 on the Common Vulnerability Scoring System (CVSS) scale, which means they’re critical. Of those, one SQL injection flaw is of particular concern for researchers because it can be exploited without authentication. “The SQL vulnerability is very easy to exploit, and we encourage every Magento site owner to update to these recently patched versions to protect their ecommerce websites,” researchers from Web security firm Sucuri said in a blog post.

The researchers have already reverse-engineered the patch and created a working proof-of-concept exploit for internal testing. They haven’t released it publicly yet, but it’s very likely attackers will soon figure out on their own how to exploit the flaw.