Magento Platform: In case you are utilizing Magento to power your ecommerce shop, then it might be a really great idea to make sure you are up to date with your patches, as hundreds of thousands of sites are at risk of hackers’ attacks made conceivable by a just-patched susceptibility in the Magento ecommerce platform. In case this looks like a déjàvu, then it is because only last year Magento was attacked by some other daring act.
The bug piece is situated within Magento core libraries, more precisely within the admin’s backend, a Sucuri advisor expounded. Except you are behind a WAF or likely that you have a very deeply modified admin panel, you are prone to threat. As this is actually stored XSS vulnerability, the problem could be utilized by hackers to gain control over your site, generate new admin accounts, steal customer’s details, and just whatever a legitimate admin account holder is permitted to execute.
Timeline for Vulnerability Disclosure:
Now you may assume that Magento hurried to get the vulnerability patched, well conferring to a timeline released by Sucuri, the risk was informed to the company around November 2015, & a patch was not released until only currently, as you can see the entire timeline beneath:
- November 10 – 2016; Bug revealed, primary report to the security team at Magento’s
- December 1st – 2016; No reaction from Magento. Demanded confirmation of previous mail.
- December 1st – 2016; Acknowledgement of receipt of report by Magento.
- January 7th – 2017; Demand an ETA, been 60 days since first report.
- January 11th – 2017; Magento responds that the patch is all set, but no ETA accessible.
- January 20th – 2017; Magento releases patch package SUPEE-7405 that resolves the issue
- January 22th – 2017; Sucuri Public Release of Vulnerability.
What is the meaning of this?
If you are yet to install the latest patch version, then you should quickly do it sooner than later, as anything otherwise would let you run the risk of exposing yourself to a possibly very dangerous cyber threat. Just as with any other security patch, there is a purpose it was released, thus do not play Russian roulette with your online business venture.