Description

Check Point researchers discovered a critical RCE (remote code execution) vulnerability in the Magento web e-commerce platform that can lead to the complete compromise of any Magento-based store, including credit card information as well as other financial and personal data.

Remediation

A patch to address the flaws was released on February 9, 2015 (SUPEE-5344). Install this patch or upgrade to the latest version of Magento.

References

Analyzing the Magento Vulnerability

Magento Community Edition Patches

Related Vulnerabilities

XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-40177)

PHP 5.3.9 remote code execution

XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-26477)

WordPress caching plugins PHP code execution

WordPress Plugin WP Maintenance Mode Remote Code Execution (2.0.6)

Severity

High

Classification

CVE-2015-1397 CVE-2015-1398 CVE-2015-1399 CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Code Execution