The stored cross-site scripting (XSS) flaws allow the attackers to hijack Magento-based websites via administrator accounts. Which may result to the theft of sensitive customer data.
Magento doesn’t check the content of the email properly and executes it in an admin content. After this the malicious code is able to steal an administrator session.
Cybersecurity firm Sucuri says:”The buggy snippet is located inside Magento core libraries, more specifically within the administrator’s backend. Unless you’re behind a WAF or you have a very heavily modified administration panel, you’re at risk.”
The second bug was discovered within the comments sections of the Magento CMS.
Other than these two critical vulnerabilities Magento also fixes problems including RSS-based information leaks, weaknesses to brute-force attacks, a lack of form protection on the Admin Login page, and many more.
To protect websites from exploitation, apply for the latest patch bundle SUPEE-7405 as soon as possible.