Security Risk: Dangerous
Exploitation Level: Easy/Remote
DREAD Score: 7/10
Vulnerability: Stored XSS
Patched Version: Magento CE: 1.9,2.3, Magento EE: 220.127.116.11
During our regular research audits for our Cloud-based WAF, we discovered a Stored XSS vulnerability affecting the Magento platform that can be easily exploited remotely. We notified the Magento team and worked with them to get it fixed.
Vulnerability Disclosure Timeline:
- November 10th, 2015 – Bug discovered, initial report to Magento’s security team
- December 1st, 2015 – No response from Magento. Requested confirmation of our previous email.
- December 1st, 2015 – Magento acknowledge receipt of the report.
- January 7th, 2016 – Request an ETA, been 2 months since original report.
- January 11th, 2016 – Magento answers that the patch is ready, but no ETA available.
- January 20th, 2016 – Magento releases patch bundle SUPEE-7405, which fixes the issue
- January 22th, 2016 – Sucuri Public Disclosure of Vulnerability.