E-Commerce Sites Hit With New Attack on Magento

Thousands of e-commerce sites running software past end-of-life were hit by an automated attack that began on Friday, peaking on Saturday. According to researchers at Sansec, more than 2,000 websites running Magento Version 1 software were subject to a classic Magecart attack that injected malicious code to steal payment details during transactions.

According to the attack analysis, most of the victims previously had not been successfully attacked. This suggested to the analysts that a novel infection mechanism was used, one possibly related to a zero-day attack recently offered for sale on Dark Web markets.

For more, read here.

Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database

CVE-2020-13316
PUBLISHED: 2020-09-14

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not validating a Deploy-Token and allowed a disabled repository be accessible via a git command line.

CVE-2020-13318
PUBLISHED: 2020-09-14

A vulnerability was discovered in GitLab versions before 13.0.12, 13.1.10, 13.2.8 and 13.3.4. GitLabs EKS integration was vulnerable to a cross-account assume role attack.

CVE-2020-24457
PUBLISHED: 2020-09-14

Logic error in BIOS firmware for 8th, 9th and 10th Generation Intel(R) Core(TM) Processors may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access.

CVE-2020-25573
PUBLISHED: 2020-09-14

An issue was discovered in the linked-hash-map crate before 0.5.3 for Rust. It creates an uninitialized NonNull pointer, which violates a non-null constraint.

CVE-2020-25574
PUBLISHED: 2020-09-14

An issue was discovered in the http crate before 0.1.20 for Rust. An integer overflow in HeaderMap::reserve() could result in denial of service (e.g., an infinite loop).
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not validating a Deploy-Token and allowed a disabled repository be accessible via a git command line.
A vulnerability was discovered in GitLab versions before 13.0.12, 13.1.10, 13.2.8 and 13.3.4. GitLabs EKS integration was vulnerable to a cross-account assume role attack.
Logic error in BIOS firmware for 8th, 9th and 10th Generation Intel(R) Core(TM) Processors may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access.
An issue was discovered in the linked-hash-map crate before 0.5.3 for Rust. It creates an uninitialized NonNull pointer, which violates a non-null constraint.
An issue was discovered in the http crate before 0.1.20 for Rust. An integer overflow in HeaderMap::reserve() could result in denial of service (e.g., an infinite loop).

This content was originally published here.

Could TikTok-owner ByteDance’s new payment licence be its ticket to e-commerce success? | South China Morning Post

September 17, 2020

Italian Shoemakers Use BDroppy to Dropship Through E-Commerce – Sourcing Journal

September 17, 2020