CVE-2015-1397
published 2015-04-29CVE-2015-1397: SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Community Edition (CE) 1.9.1.0 and Enterprise…
PriorityP272medium6.5CVSS 2.0
AVNACLAuSCPIPAP
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
56.69%
98.9th percentile
SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote administrators to execute arbitrary SQL commands via the popularity[field_expr] parameter when the popularity[from] or popularity[to] parameter is set.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| magento | magento | — | — |
| magento | magento | — | — |
Detection & IOCsextracted from sources · hover to see the quote
other___directive=e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ↗
- →The ___directive parameter carries a base64-encoded Magento block directive. Decoded value '{{block type=Adminhtml/report_search_grid output=getCsvFile}}' triggers the vulnerable getCsvFile function. Alert on this decoded string or its base64 form. ↗
- →Inspect for the popularity[field_expr] parameter containing SQL metacharacters (e.g., closing parenthesis followed by semicolon) after base64-decoding the filter value. ↗
- →Early in-the-wild exploitation focused solely on the SQL injection to create rogue admin accounts; monitor for unexpected INSERT INTO admin_user / admin_role SQL statements in application logs or WAF telemetry. ↗
- →For CVE-2015-1399 (LFI/RFI chained with this CVE), detect PHP stream wrappers (e.g., phar://) appearing in ScriptPath parameters using the Magento reflection format {{FUNC_NAME ScriptPath=phar://...}}. ↗
- ·Standard WAF SQL injection signatures will NOT detect this vulnerability without first base64-decoding the 'filter' POST parameter, as the entire payload is base64-encoded before transmission. ↗
- ·The authentication bypass (CVE-2015-1398, 'forwarded' parameter) and the Magento reflection mechanism are application-specific and require dedicated inspection rules; generic WAF HTTP inspection rules will not block them. ↗
- ·The full RCE chain requires three CVEs (CVE-2015-1397, CVE-2015-1398, CVE-2015-1399) to be exploited in sequence; blocking only the SQLi step (CVE-2015-1397) still leaves the database at risk if the auth bypass fires first. ↗
CVSS provenance
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-74wx-cgv2-vqc6: SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Community Edition (CE) 1
ghsa_unreviewed·2022-05-17
CVE-2015-1397 [MEDIUM] CWE-89 GHSA-74wx-cgv2-vqc6: SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Community Edition (CE) 1
SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote administrators to execute arbitrary SQL commands via the popularity[field_expr] parameter when the popularity[from] or popularity[to] parameter is set.
VulnCheck
magento magento Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2015·CVSS 6.5
CVE-2015-1397 [MEDIUM] magento magento Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
magento magento Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote administrators to execute arbitrary SQL commands via the popularity[field_expr] parameter when the popularity[from] or popularity[to] parameter is set.
Affected: magento magento
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.sucuri.net/2016/01/security-advisory-stored-xss-in-magento.html
Exploit PoC: https://vulncheck.com/xdb/acf6c4be0539; https://vul
No detection rules found.
CTF
medium / README
ctf_writeups·CVSS 9.1
[CRITICAL] medium / README
---
layout: default
title: Medium Machines
parent: Machines
nav_order: 2
description: "112+ Medium HTB machine writeups with walkthroughs"
permalink: /machines/medium/
---
# HackTheBox - Medium Machines
> Comprehensive index of retired HTB Medium-difficulty machines with key techniques and attack path summaries.
**Total: 100+ machines** | Sorted roughly by retirement date (newest first)
---
## Machine Index
| # | Machine | OS | Key Techniques | Attack Path Summary | Writeup |
|---|---------|-----|----------------|---------------------|---------|
| 1 | Signed | Linux | Code Signing Bypass, Certificate Abuse | Forge code signature to deploy malicious update, escalate via trusted binary execution | [0xdf](https://0xdf.gitlab.io/2026/02/07/htb-signed.html) |
| 2 | Voleur | Linux | Data E
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
Qualys
Magento RCE And Application Security Templates | Qualys
blogs_qualys·2015-05-14·CVSS 6.5
[MEDIUM] Magento RCE And Application Security Templates | Qualys
Part of the responsibilities of the Qualys Web Application Firewall (WAF) security team is to analyze newly disclosed vulnerabilities. We must ensure their correct detection, and when necessary, publish security updates that will be pushed onto customers' sensors so they can be protected. For most vulnerabilities, these changes are only cosmetic. The inspection engine already knows all the classic web attack strategies (SQLi, XSS, …), and typically our patches are about displaying specific messages to warn the customer that a known vulnerability has been targeted.
But occasionally, as in the case of the Magento remote code execution (RCE) vulnerability described by Checkpoint, the vulnerabilities are far more interesting. As I describe in this article, these vulnerabilities are in applica
Qualys
Magento RCE And Application Security Templates | Qualys
blogs_qualys·2015-05-14·CVSS 6.5
[MEDIUM] Magento RCE And Application Security Templates | Qualys
Part of the responsibilities of the Qualys Web Application Firewall (WAF) security team is to analyze newly disclosed vulnerabilities. We must ensure their correct detection, and when necessary, publish security updates that will be pushed onto customers' sensors so they can be protected. For most vulnerabilities, these changes are only cosmetic. The inspection engine already knows all the classic web attack strategies (SQLi, XSS, …), and typically our patches are about displaying specific messages to warn the customer that a known vulnerability has been targeted.
But occasionally, as in the case of the Magento remote code execution (RCE) vulnerability described by Checkpoint, the vulnerabilities are far more interesting. As I describe in this article, these vulnerabilities are in applica
Bugzilla
CVE-2015-8842 systemd: improper use of tmpfiles.d to create persistent journal files
bugzilla·2016-06-21·CVSS 3.3
CVE-2015-8842 [LOW] CVE-2015-8842 systemd: improper use of tmpfiles.d to create persistent journal files
CVE-2015-8842 systemd: improper use of tmpfiles.d to create persistent journal files
tmpfiles.d/systemd.conf in systemd before v230 does not explicitely set ACLs on persistent system.journal. This could allow improper permission set on the file.
seclist report:
http://seclists.org/oss-sec/2016/q2/34
Suse BTS:
https://bugzilla.suse.com/show_bug.cgi?id=972612
Fixed in commit:
https://github.com/systemd/systemd/commit/afae249efa4774c6676738ac5de6aeb4daf4889f
For additional information:
https://github.com/systemd/systemd/issues/1397
Discussion:
The persistent journal logging, the feature at fault, is disabled by default : Default journald storage is set to "auto". To run into the bug, the storage value needs to be changed to "persistent" to force journald to create the /var/log/journal
http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/http://magento.com/blog/technical/critical-security-advisory-remote-code-execution-rce-vulnerabilityhttp://www.securitytracker.com/id/1032194https://blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.htmlhttp://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/http://magento.com/blog/technical/critical-security-advisory-remote-code-execution-rce-vulnerabilityhttp://www.securitytracker.com/id/1032194https://blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.html
2015-04-29
Published
Exploited in the wild