Magento has advised users of Magento Open Source 1 and Magento Commerce 1 e-commerce platforms to download the latest updates. The discovery of two security threats has necessitated this.
The most dangerous and critical error is a PHP object injection bug that could result in random code execution. Ranked as ‘important,’ the other threat is a stored cross-site scripting (XSS) error. If this flaw is exploited, it can lead to the disclosure of sensitive data.
However, to execute both flaws, you require administrative privileges.
Easy to exploit
During an interview with the Daily Swing, Yonathan Klansman, director of threat research at RiskIQ said, “PHP object injection bugs are issues related to how input is dealt with and, in this case, providing (in essence) PHP code will make the server execute it,”
Therefore, it gives hackers the ability to execute PHP code on the server. That means the attackers will have full access, and that is why it is ranked as a critical threat.
It is not something new. Similar threats have happened in platforms such as WordPress, and that is narrowed down to how input is sequenced- often, these are easy to exploit.
The two threats are present in all versions of Magento Open Source 1(formerly Magento Community Edition) and Magento Commerce 1(previously Magento Enterprise Edition) up to and including 18.104.22.168.
In a blog post published on 24th June 2020, the software giant stated: “We’ve been working closely with customers, partners, and developers on transition plans through the Magento 1 [end-of-life] timeline.”
The decision to withdraw support for the release line, which has lasted for 12 consecutive years, was publicized in September 2018.