MD Quickview RCE vulnerability

RCE vulnerability in MD Quickview extension

MD Quickview extension (also distributed as Smartwave/Quickview or Sns/Quickview and similar Quickview extensions with various design themes such as Smartwave Porto or Sns Nova) is vulnerable to SQL injection. The vulnerability allows a remote attacker to take complete control over infected store after a single URL call. If you have Quickview extension installed in your shop please consider to immediately disable it and uninstall or patch later.

MD Quickview RCE vulnerability
1 vote, 3.00 avg. rating (72% score)
  • Nafiz

    how do i patch it?

  • Scode

    Hi Magentary. Occasionally when I run your patch tester it says my webstore has MD Quickview & EM Quickshop vulnerabilities. However when testing again that disappears and most scans don’t return it. I just see it every so often. Should I be concerned?

    In Magento backend System – Config – Advanced – Advanced I don’t see the two of them in the modules list. Would they be there if I had them? Thanks for clarifying.

    • magentary

      No, your store is not vulnerable, however there is possible resource shortage on server or other issues, resulting in sporadic errors on various pages. I would suggest you to check var/report directory and to monitor store state during peak hours.
      False positive result in tester comes from “501 Internal error” or “503 Temporarily unavailable” response from your server on probe result.