Magento 2 XSS Admin hijack vulnerability

by Sansec

Published in Guides

On July 2nd, 2019, several vulnerabilities were published by RIPSTECH. They can be exploited by placing a specially crafted order. Once your staff views the order in the backend, their session is leaked to the attacker. Subsequently, the attacker uses another vulnerability to gain direct access to the server.

It was fixed in the following Magento versions:

Magento 2.1.18 Magento 2.2.9 Magento 2.3.2

If you are running a Magento 2 store with an older version, we recommend to urgently update to the latest version. See the release statement from Magento for more information.

Easy CSP for your store?

Try Sansec Watch! Free, simple and fully integrated. Get PCI compliant alerting with minimal effort.

Sansec Watch

Need expert advice? We are here to help!

Contact

Magento 2 XSS Admin hijack vulnerability

Easy CSP for your store?

Made with ❤

Stay up to date with the latest eCommerce attacks

experts in eCommerce security