CMS

Upgrade Affiliate Plus Magento Extension – XSS Vulnerability Found

Updated on: March 29, 2020

Upgrade Affiliate Plus Magento Extension – XSS Vulnerability Found

A couple of weeks ago, we were performing a security scan for a customer using Magento shop. While auditing their website our team found a critical vulnerability in Affiliate Plus module. According to Affiliate Plus’ website, 7000+ stores use the extension. This Affiliate Plus Magento module XSS vulnerability leaves a number of Magento stores vulnerable.

About Affiliate Plus Magento Module XSS

  • When logged into your store Magento as an Affiliate, go to ‘My Program Section’
  • In the ‘Program Name’ column add the following JS code:
<script>alert(/XSS_Vulnerability/)</script>
  • Click on the ‘search’ button
    Magento Module XSS - Affiliate Plus
  • A pop-up suggesting execution of javascript code appears
    Magento Module XSS Affiliate Plus
  • In addition, even SQL queries are also given out by the application exposing SQL Errors and database structure
    Magento Vulnerability AffiliatePlus

Consequences

XSS, being one of the most widely found and exploited vulnerability does come with some critical consequences. In the case of reflected XSS, the consequences are often targeted at a particular customer. However, attacks can be performed aimed to steal admin data and more. There include:

  • Compromise of end user data/account information
  • Stealing of admin details via targeted attacks
  • Exposure to internal directory structure of the web app

Timeline

Affiliate Plus team was very quick in understanding the issue and quickly work on fixing it. They worked proactively in deploying the necessary fixes and releasing an updated version of the module with the patch. Kudos to the team!

Tags: , , ,

Shikhil Sharma

Shikhil Sharma is the founder & CEO of Astra Security. Being involved with cybersecurity for over six years now, his vision is to make cyber security a 5-minute affair. Shikhil plays on the line between security and marketing. When not thinking about how to make Astra super simple, Shikhil can be found enjoying alternative rock or a game of football. Astra Security has been rewarded at Global Conference on Cyber Security by PM of India Mr. Narendra Modi. French President Mr. François Hollande also rewarded Astra under the La French Tech program. Astra Security is also a NASSCOM Emerge 50 company.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany