24 Feb Security Advisory – SOS-09-002- Magento Multiple Cross-Site Scripting Vulnerabilities
Release Date: 24-Feb-2009
Last Update: –
Vendor Notification Date: 21-Jan-2009
Platform: Linux / PHP (verified), possibly others
Affected versions: Magento 1.2.0 (verified), possibly others
Severity Rating: Medium
Impact: Cookie/credential theft, impersonation, loss of
Attack Vector: Remote with authentication
Solution Status: Vendor patch not yet available
CVE reference: CVE – 2009-0541
Please refer to the PDF version of this advisory for proof of concept code examples.
The vendor has advised that the fix will be made available in the near future.
Loukas Kalenderidis from Sense of Security Labs.