Ebay Inc coordinated patch of 3 Magento Vulnerabilities (IVE, XSS & CSRF)
During the last week the vulnerability researcher hadji samir discovered 3 vulnerabilities patched by the ebay inc security team in cooperation with magento.
The first vulnerability was located in the `filename` value of the image upload module. The attacker needs to create a `New Message` with upload to change the filename to a malicious payload. The attack vector of the issue is located on the application-side and the request method to inject the script code is POST.
A poc video has been recorded in our environment by the core team researcher hadji samir. In the video hadji demonstrates how to exploit an application-side filename validation vulnerability in connection with a upload POST method request.
Advanced Persistent Threat Golden_hands - Digital Bank Robbery of the Year 2020
Facebook Security - 12.500$ Bug Bounty reward to Security Researcher
Bug Bounty Program Award Winners 2014 - Exclusive Interview by Microsoft & PayPal
Shopify | Buy Button | Persistent Embed POST Inject Vulnerability