Security Announcement – SQL Injection Vulnerability

05.2.16 Published by

Security Annoucement

Magento has released a new security announcement discovering a new SQL injection vulnerability found to impact several third-party themes and extensions.


An SQL injection is an attacking technique which inserts malicious SQL statements in users input through exploits found in application vulnerabilities. The result can end with receiving detailed error notification disclosing backhand technology information, or granting access to restricted areas by manipulating “always-true” Boolean values in their queries. This new SQL injection vulnerability was found not to impact the core Magento application.

Here’s what you need to do.

As a merchant, you will need to identity if your store has any of the third-party themes or extensions mentioned from the security announcement attached below. If you are not sure, please contact a Magento certified developer to help you identify if these extensions are present in your e-commerce website. If they are, you will need to reach out to the extension/theme developer for an updated version of the extension and have it updated in your store.

Neoverve offers certified Magento developers to install/update any extension or module the right way. Our development process ensure any development is done safely and tested on a developer’s secure workstation first before making the changes to your live site. Contact us for more information.

 

Here is the Magento’s Security Announcement:

Third-Party Themes and Extensions Are at Risk

Third-Party Themes and Extensions Are at Risk
We recently learned that an SQL injection vulnerability has been found in several third-party themes and extensions. Extensions with the vulnerability include:

  • EM (Extreme Magento) Ajaxcart
  • EM (Extreme Magento) Quickshop
  • MD Quickview
  • SmartWave QuickView

These extensions are used in several different themes, including Porto, Trego, and Kallyas from SmartWave. Other SmartWave themes may also be at risk. Vulnerable EM modules are used in some EM themes. The core Magento application is not impacted in any way by this vulnerability.

We’ve received reports that the SQL injection vulnerability is potentially being exploited. If you currently use these extensions or themes, you should immediately contact the company from which you purchased the extensions or themes to request updated code. We understand that Themeforest, part of Envato Market, has already removed the vulnerability from the Porto theme, but the status of other themes and extensions is unknown.

It is also important for you to evaluate all your Magento administrator accounts to make sure there are no unknown users and to reset all your administrator passwords. Please review the Magento Security Best Practices for more information on how to secure your site and use magereport.com to scan your site for missing patches or known issues.

This update is part of our ongoing commitment to advise our merchants on security issues as we become aware of them. We thank you for your attention to this matter.

Best regards,
The Magento Team

Categorized in: , , ,