MAGMI - Cross-Site Request Forgery

MAGMI Magento Mass Importer is vulnerable to cross-site request forgery CSRF due to a lack of CSRF tokens. Remote code execution via phpcli command is also possible in the event that CSRF is leveraged against an existing admin session. id: CVE-2020-5776 info: name: MAGMI - Cross-Site Request...

EUVD-2022-1936

Malicious code in bioql PyPI...

CVE-2020-5777

MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. A remote attacker can trigger this connection failure if the Mysql setting maxconnections default 151 is lower than Apache or...

CVE-2020-5776

Currently, all versions of MAGMI are vulnerable to CSRF due to the lack of CSRF tokens. RCE via phpcli command is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI...

CVE-2014-8770

Unrestricted file upload vulnerability in magmi/web/magmi.php in the MAGMI aka Magento Mass Importer plugin 0.7.17a and earlier for Magento Community Edition CE allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file, then accessing the PHP fil...

Magmi XSS Vulnerability

A Cross-Site Scripting XSS was discovered in Magmi 0.7.22. The vulnerability exists due to insufficient filtration of user-supplied data prefix passed to the magmi-git-master/magmi/web/ajaxgettime.php URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the...

GHSA-R8VH-CM9F-RC29 Magmi XSS Vulnerability

A Cross-Site Scripting XSS was discovered in Magmi 0.7.22. The vulnerability exists due to insufficient filtration of user-supplied data prefix passed to the magmi-git-master/magmi/web/ajaxgettime.php URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the...

MAGMI plugin for Magento Unsafe File Upload

Unrestricted file upload vulnerability in magmi/web/magmi.php in the MAGMI aka Magento Mass Importer plugin 0.7.17a and earlier for Magento Community Edition CE allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file, then accessing the PHP fil...

GHSA-27V2-398X-F74X MAGMI cross-site scripting (XSS)

Multiple cross-site scripting XSS vulnerabilities in the MAGMI aka Magento Mass Importer plugin for Magento Server allow remote attackers to inject arbitrary web script or HTML via the 1 profile parameter to web/magmi.php or 2 QUERYSTRING to web/magmiimportrun.php...

MAGMI cross-site scripting (XSS)

Multiple cross-site scripting XSS vulnerabilities in the MAGMI aka Magento Mass Importer plugin for Magento Server allow remote attackers to inject arbitrary web script or HTML via the 1 profile parameter to web/magmi.php or 2 QUERYSTRING to web/magmiimportrun.php...

MAGMI plugin for Magento Server Directory Traversal

Directory traversal vulnerability in web/ajaxpluginconf.php in the MAGMI aka Magento Mass Importer plugin for Magento Server allows remote attackers to read arbitrary files via a .. dot dot in the file parameter...

GHSA-C252-XC8V-MQMM MAGMI plugin for Magento Server Directory Traversal

Directory traversal vulnerability in web/ajaxpluginconf.php in the MAGMI aka Magento Mass Importer plugin for Magento Server allows remote attackers to read arbitrary files via a .. dot dot in the file parameter...

Cross-Site Request Forgery in MAGMI

All versions of MAGMI up to and including version 0.7.24 are vulnerable to CSRF due to the lack of CSRF tokens. RCE via phpcli command is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI...

GHSA-CV7M-WC7G-7GFP Cross-Site Request Forgery in MAGMI

All versions of MAGMI up to and including version 0.7.24 are vulnerable to CSRF due to the lack of CSRF tokens. RCE via phpcli command is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI...

Authentication bypass in MAGMI

MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. A remote attacker can trigger this connection failure if the Mysql setting maxconnections default 151 is lower than Apache or...

GHSA-G475-PCH5-6WVV Authentication bypass in MAGMI

MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. A remote attacker can trigger this connection failure if the Mysql setting maxconnections default 151 is lower than Apache or...

Magneto MAGMI Authentication Bypass (CVE-2020-5777)

An authentication bypass vulnerability exists in Magneto MAGMI. Successful exploitation of this vulnerability allow a remote attacker to gain unauthorized access to the affected system...

Magneto MAGMI Remote Code Execution (CVE-2020-5776)

A remote code execution vulnerability exists in Magneto MAGMI. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system...

Cross-site Request Forgery (CSRF)

dweeves/magmi is vulnerable to cross-site request forgery CSRF. Lack of proper CSRF protection and no CSRF token in place to check legitimate request allows an attacker to use an existing admin session to subsequently cause a remote code execution via phpcil command...

Authentication Bypass

dweeves/magmi is susceptible to authentication bypass. It is possible because it uses a default login magmi:magmi basic authentication when a database connection failure is introduced by a malicious user by sending 151 simultaneous requests to the Magento website, leading to a "Too many...