On January 20th, 2016 Magento released patch bundle SUPEE-7405 that fixed vulnerability on Magento CE 1.9,2,3 and Magento EE 1.14,2,3. However, if you are behind Magento CE 1.9.2.3 and Magento EE <1.14.2.3, you are at hijacking risk. How to tell?

It is a stored XSS vulnerability affecting Magento platform, and easily exploited remotely. Attackers can take over your site, create new administrator accounts and steal client infomration or anything. The issue exists in app/design/adminhtml/default/default/template/sales/order/view/info.phtml

The template appends the getCustomerEMail method's return value to the administration panel. It accepts two different forms of emails

  • Regular ones
  • Quoted string format, which accepts any printable characters except for space character (but regular spaces), as long as it's surrounded by two double quotes.

This means that you could use an email like "><script>alert(1);</script>"@abc.com as a client's account email, place an order and see what happens when an administrator checks order in the admin panel. As a result, an XSS triggered was in Magento Core.

If you are using a vulnerable version of Magento, please update or patch it ASAP.