Cross-site Request Forgery (CSRF)

dweeves/magmi is vulnerable to cross-site request forgery CSRF. Lack of proper CSRF protection and no CSRF token in place to check legitimate request allows an attacker to use an existing admin session to subsequently cause a remote code execution via phpcil command...

Authentication Bypass

dweeves/magmi is susceptible to authentication bypass. It is possible because it uses a default login magmi:magmi basic authentication when a database connection failure is introduced by a malicious user by sending 151 simultaneous requests to the Magento website, leading to a "Too many...

Directory Traversal

dweeves/magmi is vulnerable to directory traversal attacks. These attacks are possible because it allows attackers to put .. into the file parameter in web/ajaxpluginconf.php...

Cross-Site Scripting (XSS) And Arbitrary Code Execution

dweeves/magmi-git is vulnerable to cross-site scripting XSS and arbitrary code execution attacks. The attacks are possible because user-supplied data prefix are being input to the magmi-git-master/magmi/web/ajaxgettime.php URL without enough filtering...