Magento Warns E-Commerce Sites to Upgrade ASAP to Prevent Attacks Overall rating: ★★★★★ 5 based on 23 reviews
5 1

BlogSimplio Labs Blog

Once we accept our limits, we go beyond them.
Albert Einstein

Magento Warns E-Commerce Sites to Upgrade ASAP to Prevent Attacks

E-Commerce, What's New No Comment

The popular e-commerce platform Magento is urging web administrators to install its latest security update in order to defend against malicious attacks in the wild that could exploit a critical remote code-execution vulnerability.

While the company didn’t specify what kinds of potential attacks that websites should be concerned about (Threatpost reached out for comment on this), Magento is a common target for the Magecart association of threat groups, which compromise websites built on unpatched e-commerce platforms in order to inject card-skimming scripts on checkout pages. The scripts steal unsuspecting customers’ payment card details and other information entered into the fields on the page.

The vulnerability (CVE-2019-8144), which carries a severity ranking of 10 out of 10 on the CVSS v.3 scale, could enable an unauthenticated user to insert a malicious payload into a merchant’s site through Page Builder template methods, and execute it. Page Builder allows websites to design content updates, preview them live and schedule them to be published. The bug specifically exists in the preview function.

The flaw affects Magento 2.3, and was patched in in Magento Commerce 2.3.3 and with the security-only patch 2.3.2-p2, released in October. The company warned that patching will have the side effect of “blocking administrators from viewing previews for products, blocks and dynamic blocks’; but, it said it will re-enable the preview functionality as soon as possible.

“We recommend that all merchants, even those who have already upgraded to 2.3.3 or applied security-only patch 2.3.2-p2, review the security of their Magento site to confirm that it was not potentially compromised before upgrade,” Piotr Kaminski of the Magento security team wrote in a posting on Monday. “Applying this hot fix or upgrading…will help defend your store against potential attacks going forward, but will not address the effects of an earlier attack.”

The same update patches several other critical emote-execution flaws with a CVSS v.3 score of 9 and above, as well as cross-site scripting (CSS) issues.

The warning comes as Magecart activity and infrastructure continues to saturate the web. According to analysis from RiskIQ last month, there are now 573 known command-and-control (C2) domains for the group, with close to 10,000 hosts actively loading those domains. In all, RiskIQ has detected almost 2 million (2,086,529) instances of Magecart’s javaScript binaries, with over 18,000 e-commerce hosts directly breached.

“It is unfortunate that this kind of attack is still succeeding even though a mitigation is quite straightforward,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, via email. “As a last resort, website owners should periodically check the integrity of their script code, which can be as simple as calculating a checksum every few minutes to look for an unexpected change.”

 

Good experience

★★★★★
5 5 1
SimplioWebStudio did a great job

Project accomplished

★★★★★
5 5 1
Project accomplished

Plugin developed successfully

★★★★★
5 5 1
Plugin developed successfully

ANOTHER SUCCESSFUL PROJECT

★★★★★
5 5 1
ANOTHER SUCCESSFUL PROJECT

Thank you Simplio team

★★★★★
5 5 1
Great experience

Working with Simplio Web Studio was a fantastic experience.

★★★★★
5 5 1
Working with Simplio Web Studio was a fantastic experience. The service provided was amazing and professional. It was a delight to work with Nir, who went the extra mile to meet our demands in a timely manner. He really made our vision a reality by creating us a classic site, but moreover the relationship we formed is something our company really appreciates. It was a pleasure working with Nir and the team at Simplio Web Studio. We highly recommend them to all and we look forward to working and doing more business with them in the future.

a great project

★★★★★
5 5 1
a great project

All the best

★★★★★
5 5 1
All the best to Simplio

My website is Live

★★★★★
5 5 1
My website is Live , thank you Simplio

From beginning to end, the team at Simplio provided top of the line customer service.

★★★★★
5 5 1
From beginning to end, the team at Simplio provided top of the line customer service. The web developers are incredible and made sure we got exactly what we were looking for! They truly went above and beyond to make us happy and we couldn’t have been more pleased with their talents. We would highly recommend them. Thanks so much Nir!

After over two years of research we chose Simplio.

★★★★★
5 5 1
After over two years of research we chose Simplio. We are so far very satisfied. These people answered the phone on a Sunday and fixed a problem that was not even their fault. It was the host company which I had chosen that had caused our site to go down.

Outstanding in both knowledge and professionalism.

★★★★★
5 5 1
Outstanding in both knowledge and professionalism. Nir and the staff at Simplio are Excellent in branding, web design and overall web presence. Definitely recommended!

I cannot even imagine having another company managing my Presta shopping cart.

★★★★★
5 5 1
They are now part of the Diastasis Rehab business team after working with them almost a year now. I cannot even imagine having another company managing my Presta shopping cart. After a bad experience with a programmer, I needed a new programmer (one that knew prestashop shopping cart) and most important one that I could trust. Finding all three was a difficult process! Lucky for me I found them. I cannot say enough about the diversity of services that this company provides. Every step of the way they make amazing suggestions to increase my sales and they get back to be right away either by email or phone. They have even created a simple and easy check out program for Presta Shop. They are actually a one stop shop! They updated my SSL, are setting up and changing my server to a dedicated one, setting up streaming of my DVD, website design, creating a specific program for address verification on Presta cart and handled the integration of Presta cart with my fulfillment house. I am now working on developing an APP with them

Simplio really helped me out of a jam.

★★★★★
5 5 1
Simplio really helped me out of a jam. They did exactly what I needed on a very tight time frame (with little notice too!!!!) They are my new go-to guys for any Prestashop needs! Thanks Simplio!

Excellent service!

★★★★★
5 5 1
Excellent service! Nir was exceptionally helpful in solving a lot of issues with our website and making the user experience more smooth. He understood the needs of our school and helped improve the website tremendously.

impressed

★★★★★
5 5 1
What impressed me most about working with Simplio was their attention to detail and excellent communication. Not only are they talented developers, but, they are also pleasant to work with and highly professional. Highly recommended!

professional service

★★★★★
5 5 1
What a profissional service Simplio offers.I hired them to rebuild my website for my business and they were creative and professional. Nir was on top of the whole project from day one, until he delivered the project on time. I will defiantly recommend Simplio to anyone who is looking for website services. From creating, designing to maintaining your image online. Good Job Nir and the rest of your group.

Great Logo

★★★★★
5 5 1
Great Logo, Very happy

fantastic to work with

★★★★★
5 5 1
Simplio was fantastic to work with. They were fast, communicative and incredibly helpful to me. I highly recommend them to anyone who needs help with their digital needs!

Awesome experience

★★★★★
5 5 1
All details and requests were met in prompt an friendly manner. Would recommend on any day to anyone who wants to feel their business is in great hands.