CVE-2015-1397
CVE-2015-1397
SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote administrators to execute arbitrary SQL commands via the popularity[field_expr] parameter when the popularity[from] or popularity[to] parameter is set.
Affected products
n/a · n/apublic PoCs found — 5
githubgithub.com/WHOISshuvam/CVE-2015-1397★ 1githubgithub.com/tmatejicek/CVE-2015-1397★ 0githubgithub.com/Wytchwulf/CVE-2015-1397-Magento-Shoplift★ 0githubgithub.com/0xDTC/Magento-eCommerce-RCE-CVE-2015-1397★ 0exploitdbwww.exploit-db.com/exploits/37977unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/http://magento.com/blog/technical/critical-security-advisory-remote-code-execution-rce-vulnerabilityhttps://blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.htmlhttp://www.securitytracker.com/id/1032194