On September 3, Multi-State Information Sharing and Analysis Center (MS-ISAC) has issued an alert related to multiple vulnerabilities that could allow for arbitrary code execution and a recommendation that all sites using PHP should update to the latest PHP version ASAP (full alert is available here).
Magento is an open-source e-commerce platform written in PHP.
Magento Commerce and Open Source Edition suffers from multiple Vulnerability including RCE, XSS,and XSRF vulnerabilities,along with an SQL Injection vulnerability through an unauthenticated user(PRODSECBUG-2198).
Magento Open Source prior to 220.127.116.11, and Magento Commerce prior to 18.104.22.168, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
QID Detection Logic(unauthenticated ):
This QID attempts to run an command on the target over an unauthenticated crafted HTTP/HTTPS GET request to exploit sql injection web vulnerability and looks for vulnerable response.
Since Magento relies on PHP, we recommend that all Merchants using Magento review necessary updates for PHP with their hosting provider. We also recommend that Merchants complete this review and any updates by September 30 in order to avoid PCI compliance issues that may go into effect as a result of these vulnerabilities at the end of the month.
If you would like more information on PHP and recent releases, you can visit PHP’s site.
So all magento prior to 2.3.1 might not safe and have PCI compliance issues. If you need an Hawaii onshore expert to upgrade magento to add security, stability & increased Performance to Your Site. please feel free to contact us by submitting the below form..