January 26, 2016 by Yonat

Critical Magento Security Patch SUPEE-7405

New Critical Magento Security Patch

It has come to our attention at 121ecommerce that a new group of vulnerabilities have been discovered on several Magento products. This essentially translates to hackers using SQL injection methods to hack into and take over the Magento admin.

SUPEE-7405 fixes these high-risk to critical security issues. According to Magento’s security release, this patch is actually a bundle of patches for Magento 1.x stores.

APPSEC-1213 – Stored XSS via email address (Critical Severity)

It is reported that this Cross-site Scripting critical vulnerability is a leak during customer registration on the storefront. The hacker can steal an administrator session or act on behalf of a store administrator via this leak.

Any store on a Magento CE platform earlier than 1.9.2.3 and Magento EE earlier than 1.14.2.3 is affected. Later Magento versions are not at risk.

APPSEC-1239 Stored XSS in Order Comments (Critical Severity)

This critical vulnerability allows hackers access to an admin takeover via comments appended to an order that could potentially be read by Magento as JavaScript code. The attack would be executed server-side when the administrator attempts to view the order.

Any store on a Magento CE platform earlier than 1.9.2.3 and Magento EE earlier than 1.14.2.3, as well as Magento 2 CR & EE earlier than 2.0.1 is affected. Later Magento versions are not at risk.

Above we detailed the Critical Severity issues this SUPEE-7405 magento security patch fixes. Below is a list of the High Severity issues fixed the by the patch:

  • APPSEC-1260 – Stored XSS in Order
    • Affects Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
  • APPSEC-1270 – Guest order view protection code vulnerable to brute-force attack
    • Affects Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
  • APPSEC-1171 – Information Disclosure in RSS feed
    • Affects Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
  • APPSEC-1206 – CSRF token not validated on backend login page
    • Affects Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3

An additional 10 medium-risk vulnerabilities and 4 low-risk vulnerabilities were fixed in this SUPEE7405 Magento security patch.

Check your magento website to see if you’re safe!

You can scan your site to see if it is vulnerable by checking your website URL on this site: https://www.magereport.com/

Have questions? Concerns about the security of your Magento site? Contact us to ascertain the safety of your website.

Sign up for blog updates

Let's get started

Call 216.586.6656