New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Critical Vulnerability in Magestore Store Locator extension

March 8, 2019

Tags:

Overview

A critical vulnerability exists in the Magestore Store Locator extension [0] version 1.0.2 (and earlier versions) that could result in unauthorized access to sensitive information. Magento urges customers running this extension to immediately disable this extension or block requests (see workarounds below), and request an updated version from the extension developer [1].

Exploit in the wild?

Magento is aware of reports that this vulnerability has been exploited in the wild.

Actions

Magento advises customers to take immediate action by disabling the extension. As a temporary mitigation, Magento Commerce cloud merchants can also take advantage of Magento’s Web Application Firewall (WAF) to block known exploitation paths. See here for more information about this feature.

While Magento Commerce cloud merchants can protect themselves from future attacks of this kind via the WAF referenced above, it's possible some merchants may have already been compromised. Merchants should work with their partners and technical teams to investigate for signs of compromise including, but not limited to, suspicious database queries being logged and unknown admin accounts. Additionally, all administrative accounts should have their passwords reset.

We also encourage all site owners to sign up for the security scan.

How do I know if I’m Impacted?

Customers running version 1.0.2 (and earlier versions) of the Magestore Store Locator extension may be impacted.

Workarounds

As a temporary measure, merchants can block all requests to URL /storelocator/index/loadstore.

References

Magento recommends customers review and implement recommendations documented in the security best practices guide.

 

[0] https://www.magestore.com/magento-2-store-locator-extension.html

[1] https://magestore.zendesk.com