SQL Injection Affecting magento/core package, versions <1.9.4.1
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Threat Intelligence
Exploit Maturity
Mature
EPSS
0.58% (78th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-MAGENTOCORE-174031
- published 30 Mar 2019
- disclosed 29 Mar 2019
- credit Charles Fol, Ambionics Security
Introduced: 29 Mar 2019
CVE-2019-7139 Open this link in a new tabHow to fix?
Upgrade magento/core
to version 1.9.4.1 or higher.
Overview
magento/core is a release of the Magento Community Edition.
Affected versions of this package are vulnerable to SQL Injection. A bug in both internal/Magento/Framework/DB/Adapter/Pdo/Mysql.php
and lib/Varien/Db/Adapter/Pdo/Mysql.php
allows for a SQLi vector in Magento\Catalog\Controller\Product\Frontend\Action\Synchronize
.
PoC
by Charles Fol
https://magento2website.com/catalog/product_frontend_action/synchronize?
type_id=recently_products&
ids[0][added_at]=&
ids[0][product_id][from]=?&
ids[0][product_id][to]=))) OR (SELECT 1 UNION SELECT 2 FROM DUAL WHERE 1=1) -- -