“The attackers could redirect all payments to their bank account or steal information about the bank cards of users,” write the experts.
The only condition necessary for the success of the attack was presence in the store of the built-in payment module Authorize.Net, since the root of the problem lay in the way Magento developers realized implementation of this payment processing solution.
The originally mentioned problem of stored XSS was discovered in Magento version 2.2.6, in August 2018. Last November, a patch was released for it, but it soon became clear that the fix is easy to bypass and Magento 2.3.0 was still vulnerable. New patches were released as part of Magento 2.3.2, 2.2.9 and 2.1.18.
The second problem associated with Phar deserialization was discovered in January 2019 and eliminated in March in Magento 2.3.1, 2.2.8 and 2.1.17.
Worth noting that stores based on Magento are still the favorite targets of intruders who practice so-called MageCart attacks or software skimming.
For example, according to a recent report by Sanguine Security, a targeted and automated attack is currently being conducted on vulnerable stores with about 960 affected sites. Majorly victims of this attack were small shops, however, according to experts, among the victims there are several large resources.