200,000 Magento Merchants Vulnerable to High-Risk Zero-Day
An unpatched remote code execution vulnerability within the Magento ecommerce platform currently places up to 200,000 online retailers at risk of system compromise and sensitive data theft. If exploited, this vulnerability could allow the remote execution of malicious code on a targeted installation of Magento, should the platform administrator visit a URL that triggers a cross-site forgery attack. This vulnerability impacts Magento Community Edition software versions up to 2.1.6. The NJCCIC recommendsenforcing the use of “Add Secret Key to URLs” within Magento to mitigate this threat.