CVE-2011-5240

Name of the Vulnerable Software and Affected Versions Magento versions 1.5 through 1.6.2

Description The issue arises from the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This allows attackers to spoof SSL servers via an arbitrary valid certificate, enabling man-in-the-middle attacks.

Recommendations For Magento versions 1.5 through 1.6.2, update the software to verify the server hostname against the X.509 certificate's Common Name or subjectAltName field to prevent SSL server spoofing.