Strike ID:
E19-p08m1
CVSS:
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
False Positive:
t
Variants:
2
Year:
2019

Description

This strike emulates a SQL injection attack on Magento e-commerce platform. The vulnerable code resides in vendor/magento/framework/DB/Adapter/Pdo/Mysql.php and the flaw is due to the way the request parameters are parsed. By exploiting the /catalog/product frontend action/synchronize endpoint, a remote unauthenticated attacker could access the database and even leverage the vulnerability to obtain administrator privileges and remote code execution.

CVE

References

MSB

BID

ExploitDB

Secunia

Security Tracker

Metasploit

ZDI

Google

OSVDB

{}