Magento 1 & 2 critical SQL injection flaw

by Team Sansec

Published in Guides

In March 2019, a critical SQL injection flaw was discovered in Magento 1 and 2. This allows attackers to read and write to your database. A common attack pattern is that your admin passwords are stolen.

To fix this, install these Magento-supplied patches:

Magento 1
Magento 2

Installed these patches and eComscan still reports this issue? In some cases, the old (vulnerable) code is cached and still active. You should flush all caches. See also this Stackoverflow question.

It is also possible that you have a duplicate of the (older) Magento code located under your hosting account. In that case, it is recommended to purge the older version.

Easy CSP for your store?

Try Sansec Watch! Free, simple and fully integrated. Get PCI compliant alerting with minimal effort.

Sansec Watch

Need expert advice? We are here to help!

Contact

Magento 1 & 2 critical SQL injection flaw

Easy CSP for your store?

Made with ❤

Stay up to date with the latest eCommerce attacks

experts in eCommerce security

Terms & Conditions
|
Privacy & Cookie Policy
|
Company Reg 77165187
|
Tax NL860920306B01

Magento 1 & 2 critical SQL injection flaw

Easy CSP for your store?

Made with ❤

Stay up to date with the latest eCommerce attacks

experts in eCommerce security

Terms & Conditions|Privacy & Cookie Policy|Company Reg 77165187|Tax NL860920306B01

Terms & Conditions
|
Privacy & Cookie Policy
|
Company Reg 77165187
|
Tax NL860920306B01