Thousands of e-commerce companies, using Magento, are at risk as critical bug found in Magento. If you are using Magento to run your websites, patch it as soon as possible to protect your websites from massive attacks.
Stored XSS Flaw in Magento: It is found that the stored cross–site scripting (XSS) vulnerability exists in all versions of Magento community edition 1.9.2.2 and earlier including enterprise edition 1.14.2.2 and earlier. There is a plethora of consequences of the stored cross–site scripting (XSS) flaws. An attacker can take over your website via administrator account, steal the credit card information and customers’ data and control the Magento based online store through this flaw.
How It is Exploitable: An attacker can embed the malicious Javascript code inside customer registration forms. Then Magento runs and executes the Javascript code in context of the administrator account that makes possible for an attacker to steal administrator session and have the control on entire server running the e-commerce platform.
According to Sucuri Advisory, "This vulnerability affects almost every install of Magento CE <1.9.2.3 and Magento EE <1.14.2.3. The buggy snippet is located inside Magento core libraries, more specifically within the administrator’s backend. Unless you’re behind a WAF or you have a very heavily modified administration panel, you’re at risk." "As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client information, anything a legitimate administrator account is allowed to do."
However, this vulnerability is patched and fixed. So, the awareness of latest bug and fixing it soon, is always considered as an active security action. The regular vulnerability test is required to have your websites secured.