Freely subscribe to our NEWSLETTER

This bulletin was written by Vigil@nce : https://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

Several vulnerabilities were announced in Magento version 2.

Impacted products: Magento CE, Magento EE.

Severity: 2/4.

Creation date: 21/01/2016.

DESCRIPTION OF THE VULNERABILITY

Several vulnerabilities were announced in Magento version 2.

An attacker can trigger a Cross Site Scripting in User Name, in
order to run JavaScript code in the context of the web site.
[severity:2/4]

An attacker can bypass security features in Block Cache, in order
to obtain sensitive information. [severity:2/4]

An attacker can trigger a Cross Site Scripting in Order Comments,
in order to run JavaScript code in the context of the web site.
[severity:2/4]

An attacker can use a SQL injection in Layered Navigation, in
order to read or alter data. [severity:2/4]

An attacker can perform a brute force on Guest Order View, in
order to escalate his privileges. [severity:2/4]

An attacker can trigger a Cross Site Scripting in Custom Options,
in order to run JavaScript code in the context of the web site.
[severity:2/4]

An attacker can bypass security features in Reviews, in order to
escalate his privileges. [severity:2/4]

An attacker can bypass security features of a CAPTCHA, in order to
escalate his privileges. [severity:2/4]

An attacker can trigger a Cross Site Scripting in Cookie Header,
in order to run JavaScript code in the context of the web site.
[severity:2/4]

An attacker can trigger a Cross Site Request Forgery in Delete
Items from Cart, in order to force the victim to perform
operations. [severity:2/4]

An attacker can inject code in the database, in order to escalate
his privileges. [severity:1/4]

An attacker can bypass security features of the MaliciousCode
Filter, in order to escalate his privileges. [severity:2/4]

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

https://vigilance.fr/vulnerability/Magento-2-multiple-vulnerabilities-18782