Popular e-commerce platform Magento warned users against a remote code execution vulnerability and advised them to apply patches immediately.
A vulnerability with a CVSS score of 10, impacts the Magento 2.3 versions. The vulnerability can be abused to insert code through PageBuilder template methods. Magento released a security update addressing this issue and some other security flaws. But merchants haven’t applied the patch yet are still vulnerable to attacks.
The exfiltration of credit card data
Magento also announced that they will re-enable the preview functionality in a blog post. Magento-based e-commerce websites were attacked by various cybercrime groups. Some of those attacks were both can be highly damaging to merchants and users. The attacks can cause the exfiltration of credit card data and the theft of funds.
Magento also claimed: “To help protect our customers, we have implemented measures designed to help block the exploit of this vulnerability. However, this action will have the side effect of blocking administrators from viewing previews for products, blocks, and dynamic blocks.” in the blog post about the vulnerability named CVE-2019-8144.