cbcvebase.
CVE-2015-1397
published 2015-04-29

CVE-2015-1397: SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Community Edition (CE) 1.9.1.0 and Enterprise…

PriorityP272medium6.5CVSS 2.0
AVNACLAuSCPIPAP
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
56.69%
98.9th percentile
SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote administrators to execute arbitrary SQL commands via the popularity[field_expr] parameter when the popularity[from] or popularity[to] parameter is set.

Affected

2 ranges
VendorProductVersion rangeFixed in
magentomagento
magentomagento

Detection & IOCsextracted from sources · hover to see the quote

url/admin/Cms_Wysiwyg/directive/index/
other___directive=e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ
commandpopularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{SQL}
otherforwarded=1
otherfilter=<base64(popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);...)>
  • The ___directive parameter carries a base64-encoded Magento block directive. Decoded value '{{block type=Adminhtml/report_search_grid output=getCsvFile}}' triggers the vulnerable getCsvFile function. Alert on this decoded string or its base64 form.
  • Inspect for the popularity[field_expr] parameter containing SQL metacharacters (e.g., closing parenthesis followed by semicolon) after base64-decoding the filter value.
  • Early in-the-wild exploitation focused solely on the SQL injection to create rogue admin accounts; monitor for unexpected INSERT INTO admin_user / admin_role SQL statements in application logs or WAF telemetry.
  • For CVE-2015-1399 (LFI/RFI chained with this CVE), detect PHP stream wrappers (e.g., phar://) appearing in ScriptPath parameters using the Magento reflection format {{FUNC_NAME ScriptPath=phar://...}}.
  • ·Standard WAF SQL injection signatures will NOT detect this vulnerability without first base64-decoding the 'filter' POST parameter, as the entire payload is base64-encoded before transmission.
  • ·The authentication bypass (CVE-2015-1398, 'forwarded' parameter) and the Magento reflection mechanism are application-specific and require dedicated inspection rules; generic WAF HTTP inspection rules will not block them.
  • ·The full RCE chain requires three CVEs (CVE-2015-1397, CVE-2015-1398, CVE-2015-1399) to be exploited in sequence; blocking only the SQLi step (CVE-2015-1397) still leaves the database at risk if the auth bypass fires first.

CVSS provenance

nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.