Description

Check Point researchers discovered a critical RCE (remote code execution) vulnerability in the Magento web e-commerce platform that can lead to the complete compromise of any Magento-based store, including credit card information as well as other financial and personal data.

Remediation

A patch to address the flaws was released on February 9, 2015 (SUPEE-5344). Install this patch or upgrade to the latest version of Magento.

References

Analyzing the Magento Vulnerability

Magento Community Edition Patches

Related Vulnerabilities

XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-35152)

F5 BIG-IP Traffic Management User Interface (TMUI) RCE

XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2020-11057)

RCE with Spring Data Commons

WordPress Plugin WordPress Mega Menu-QuadMenu Remote Code Execution (2.0.6)

Severity

High

Classification

CVE-2015-1397 CVE-2015-1398 CVE-2015-1399 CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Code Execution