Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites
06-Apr-24
The attack leverages CVE-2024-20720 (CVSS score: 9.1), which has been described by Adobe as a case of “improper neutralization of special elements” that could pave the way for arbitrary code execution.
It was addressed by the company as part of security updates released on February 13, 2024.
Sansec said it discovered a “cleverly crafted layout template in the database” that’s being used to automatically inject malicious code to execute arbitrary commands.
The command in question is sed, which is used to insert a code execution backdoor that’s then responsible for delivering a Stripe payment skimmer to capture and exfiltrate financial information to another compromised Magento store.
