Skip to content
  • Home
  • About
  • Services
    • Vulnerability and Threat Intelligence
    • Threat Modeling and Risk Assessment
    • Penetration Testing
    • Source Code Review
    • Security Research
    • Security Consulting
  • Training
    • Kernel exploitation
      • Training – November 2019 – CLOSED
    • Kernel development
    • Userland exploitation
  • Labs
    • Exploits
    • Publications
    • Security Alerts
      • Latest Security Alerts
      • Latest Modified Security Alerts
      • Latest Ordered Security Alerts
      • Search Security Alert
  • Blog
  • Contact
  • Language
    • English
    • Português

Allele Security Intelligence

Efficient information security services

Tag: Magento

ASA-2019-00400 – Magento: Arbitrary code execution via malicious XML layouts

Posted on June 29, 2019June 29, 2019 by Allele Security Intelligence in Alerts

An authenticated user with admin privileges can execute arbitrary code when creating a product via malicious XML layouts.

Tagged Arbitrary Code Execution, ASA-2019-00400, CVE-2019-7942, Magento, PRODSECBUG-2375, XML

ASA-2019-00399 – Magento: Security bypass via form data injection

Posted on June 29, 2019July 24, 2019 by Allele Security Intelligence in Alerts

An authenticated user can inject form data and bypass security protections that prevent arbitrary PHP script upload.

Tagged ASA-2019-00399, CVE-2019-7871, Magento, PRODSECBUG-2202, Security Bypass

ASA-2019-00398 – Magento: Arbitrary code execution via file upload in admin import feature

Posted on June 29, 2019June 29, 2019 by Allele Security Intelligence in Alerts

An authenticated user with admin privileges to the import feature can execute arbitrary code by uploading a malicious csv file.

Tagged Arbitrary Code Execution, ASA-2019-00398, CVE-2019-7930, Magento, PRODSECBUG-2349

ASA-2019-00397 – Magento: Arbitrary code execution through product imports and design layout update

Posted on June 29, 2019June 29, 2019 by Allele Security Intelligence in Alerts

An authenticated user with admin privileges can execute arbitrary code through combination of product import via crafted csv file and XML layout update.

Tagged Arbitrary Code Execution, ASA-2019-00397, CSV, CVE-2019-7896, Magento, PRODSECBUG-2298, XML

ASA-2019-00396 – Magento: Arbitrary code execution through design layout update

Posted on June 29, 2019June 29, 2019 by Allele Security Intelligence in Alerts

An authenticated user with admin privileges can execute arbitrary code through a crafted XML layout update.

Tagged Arbitrary Code Execution, ASA-2019-00396, CVE-2019-7897, Magento, PRODSECBUG-2296, XML

ASA-2019-00209 – Magento: HTML injection vulnerability due to insufficient data validation

Posted on April 16, 2019 by Allele Security Intelligence in Alerts

An authenticated user can add and execute a malicious script on an HTML page through a vulnerable CLI command due to lack of data validation.

Tagged ASA-2019-00209, html injection, Magento, PRODSECBUG-2016

ASA-2019-00208 – Magento: Unauthorized access to wishlist via Insecure direct object reference in the application

Posted on April 16, 2019April 18, 2019 by Allele Security Intelligence in Alerts

An authenticated user can enumerate and access unauthorized wishlist via insecure direct object reference in the application.

Tagged ASA-2019-00208, Information Disclosure, Insecure Direct Object Reference, Magento, PRODSECBUG-2213, unauthorized access

ASA-2019-00207 – Magento: Admin credentials are logged in exception reports

Posted on April 16, 2019April 18, 2019 by Allele Security Intelligence in Alerts

Exception error reports capture administrative credentials in clear text format.

Tagged ASA-2019-00207, Excessive Logging, Information Disclosure, Magento, PRODSECBUG-2197

Posts navigation

Older posts
  • Twitter
  • Facebook
  • Github
  • Linkedin
  • RSS

Services

Vulnerability and Threat Intelligence

Threat Modeling and Risk Assessment

Penetration Testing

Source Code Review

Security Research

Security Consulting

Training

Kernel exploitation

Kernel development

Userland exploitation

Publications

Redução da superfície de ataque ao kernel do Linux – SEMCOMP 2019

Introdução à pesquisa em vulnerabilidades no núcleo do Linux – EnSI 2018

Introdução à pesquisa em vulnerabilidades no núcleo do Linux – RoadSec Salvador 2018

Rootkits em kernel space – Redshift, um rootkit para o kernel do FreeBSD

Public proofs of concept

CVE-2012-0217

CVE-2012-4576

latest security alerts

  • ASA-2020-00051 – Linux kernel: vsyscall page refcounting error September 16, 2020
  • ASA-2020-00050 – Linux kernel: Use-after-free vulnerability in cgroup BPF component September 16, 2020
  • ASA-2020-00049 – Linux kernel: Kernel stack information leak on s390/s390x platform September 12, 2020

Subscribe to our Blog

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

© 2020 Allele Security Intelligence.
All rights reserved. Privacy Policy.