Quote:Magento patched 37 vulnerabilities on Thursday, including a host of critical flaws in the e-commerce platform that could have let attackers perform a range of malicious activities, such as take over a site and create new admin accounts.
 
The most serious of the bugs is a remote code-execution (RCE) vulnerability that could allow an authenticated user, with limited permissions, to create specially crafted newsletters and email templates that can be used to execute arbitrary code on targeted systems. The vulnerability has a CVSS score of 9.8 and impacts Magento versions 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8 and Magento 2.3 prior to 2.3.1.

A second critical bug patched by Magento is an unauthenticated SQL injection vulnerability that could allow an attacker exploiting the flaw to “read from the [Magento] database, [and] extract admin sessions or password hashes and use them to access the backend,” according to Ambionics Security. This would allow site takeover with the stolen credentials.