Magento has an XSS vulnerability, which allows attackers to manipulate online malls.

Magento has an XSS vulnerability, which allows attackers to manipulate online malls.

Magento is an open-source e-commerce system. It is mainly for enterprise applications and can handle e-commerce needs, including shopping, shipping, and product reviews, in the end, it will help build a multi-purpose and applicable e-commerce website.
The Magento project team has released patches to fix a high-risk security vulnerability on Magento.
Vulnerability Information
This vulnerability was discovered by the security vendor Sucuri in November 10, 2015 and can be exploited in the following scenarios: when a user registers for a new account, or when the user changes the email address of the current account, the email account is submitted.
The key to this issue lies in how the Content Management System (CMS) filters the data that contains the email address information entered on the user side. According to Sucuri research, Magento does not effectively filter possible malicious characters in the email address.
This insecure data filtering mechanism allows attackers to add malicious code while inputting an email address.
Vulnerability Analysis
This problem exists in the Magento app/design/adminhtml/default/template/sales/order/view/info. phtml

As shown in the code segment above, the template will pass the returned value of the getcustomeremail method (that is, the email address entered by the user) to the Management Panel. Further analysis is also found in the following code segment:

According to the rules written in the above code snippet, Magento can accept two different mail formats:
1. A common type with no double quotation marks and no"
At this moment, in theory, we try to use "> alert (1);" @ sucuri.net as the user account mailbox, submit an order, next, observe what happens when the Administrator checks the order we submitted on the background management panel?

The results confirm our speculation that Magento does have an XSS vulnerability.
Vulnerability usability
As shown in the previous POC results, if an attacker then places an order using an account with a malicious code address, when the website administrator opens the order in the background, then the malicious code will be executed. Based on the attack principle, this vulnerability can be easily exploited by any attacker.
For example, JavaScript code can be used to access cookies. Therefore, attackers can steal administrator cookies and then use them to access websites illegally. Of course, other attacks can also be implemented. The attack method also depends on the technical capabilities of the attacker.
WordPress sites previously faced the same problem
In principle, this vulnerability is similar to an XSS Vulnerability Detected by Sucuri in July in Jetpack WordPress plugin. The XSS vulnerability of Jetpack WordPress plugin also allows attackers to attach malicious code to an email address and send it to the background through feedback. As a result, attackers can execute malicious code in the background.
Affected Versions
Currently, versions affected include Magento Community version 1.9.2.3 and earlier, and Magento Enterprise version 1.14.2.3 and earlier. The current 2.x version is not affected by this issue.
If the Magento version is still running, the website administrator must upgrade the online marketplace as soon as possible.