PT-2012-2217 · Magento · Magento
Published
2012-11-06
·
Updated
2012-11-06
·
CVE-2011-5240
CVSS v2.0
5.8
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Magento versions 1.5 through 1.6.2
Description
The issue arises from the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This allows attackers to spoof SSL servers via an arbitrary valid certificate, enabling man-in-the-middle attacks.
Recommendations
For Magento versions 1.5 through 1.6.2, update the software to verify the server hostname against the X.509 certificate's Common Name or subjectAltName field to prevent SSL server spoofing.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Magento