Magento 2 XSS Admin hijack vulnerability
by Sansec Support
Published in Knowledgebase
On July 2nd, 2019, several vulnerabilities were published by RIPSTECH. They can be exploited by placing a specially crafted order. Once your staff views the order in the backend, their session is leaked to the attacker. Subsequently, the attacker uses another vulnerability to gain direct access to the server.
It was fixed in the following Magento versions:
Magento 2.1.18 Magento 2.2.9 Magento 2.3.2
If you are running a Magento 2 store with an older version, we recommend to urgently update to the latest version. See the release statement from Magento for more information.
What is Magecart?
Also known as digital skimming, this crime has surged since 2015. Criminals steal card data during online shopping. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time?
About Magecart