1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Web Attack: Magento SQL Injection CVE-2015-1397

Web Attack: Magento SQL Injection CVE-2015-1397

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

Sig detects attempts to exploit SQL injection vulnerability in Magento e-Commerce platform.

Additional Information

SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote administrators to execute arbitrary SQL commands via the popularity[field_expr] parameter when the popularity[from] or popularity[to] parameter is set.

Affected

  • Various

Response

Apply the patch as soon as possible. Always keep Magento product up to date. If you don't use Magento products but seeing this alert, you are probably safe.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube