Magento is one of the most popular platforms that businesses use to build and manage their websites. That makes them an enticing target for hackers. Magneto stores experience malicious attacks in the wild which can harm critical remote code-execution vulnerability. So, security is a serious concern.
Since Magento powers a significant portion of online eCommerce, it is no surprise that hackers and skimmers often target it. Cybercriminals attack websites built on the unpatched eCommerce platform to access confidential data. The scripts steal customers’ payment card details, and other sensitive information entered on the page.
There is a vulnerability (CVE-2019-8144) that holds a severity ranking of 10 out 10 on the CVSS v.3 scales, which can enable an unauthenticated user to insert a malicious payload into a merchant’s site via Page Builder template methods and then execute it. The Page Builder lets websites design content updates preview them live and schedule them to be published, and the bug exists explicitly in the preview function.
This flaw affected Magento 2.3 and patched in Magento Commerce 2.3.3 and with the security-only patch 2.3.3-p2 released in October. The company has already stated that patching will have the side effect of “blocking administrators from viewing previews for products, blocks and dynamic blocks but they have assured that it will re-enable the preview functionality as soon as possible.
Piotr Kaminski of the Magento security team wrote in a posting on Monday “We recommend that all merchants, even those who have already upgraded to 2.3.3 or applied security-only patch 2.3.2-p2, review the security of their Magento site to confirm that it was not potentially compromised before the upgrade,” Further he added “Applying this hotfix or upgrading…will help defend your store against potential attacks going forward, but will not address the effects of an earlier attack. The same update patches several other critical emote-execution flaws with a CVSS v.3 scores of 9 and above, as well as cross-site scripting (CSS) issues.”
According to RiskIQ, there are 573 known command-and-control (C2) domains for the group and nearly 10000 hosts actively loading those domains. RiskIQ has detected almost 2 million instances of Magcart’s javaScript binaries with more than 18,000 eCommerce hosts directly breached.
Some of the crucial measures to secure your Magento store from Magecart attacks:
Conclusion
Magento is a fantastic platform for creating a thriving website. It has a 24*7 support team that works consistently on maintenance and security updates. We recommend Magento store owners stay current on the best security practices. As the old saying goes, “it’s better to be safe than sorry”. Talk with a trusted Magento upgrade service provider to upgrade your Magento store before it’s too late.
Magento 2.4.5 is a minor release that includes a number...
Magento 2.4.5 is a minor release that includes a number...
Adobe has officially said that it won't offer any kind...
While taking after-service feedback from one of our clients, we...
The latest version Magento 2.4.4 was released for the public...
Let our Magento expert connect to discuss your requirement.
We offer Magento
certified developers.
Our Magento clientele
is 500+.
We sign NDA for the
security of your projects.
We’ve performed 100+
Magento migration projects.
Free quotation
on your project.
Three months warranty on
code developed by us.