Magento Sites Vulnerable to RCE Stemming From Magmi Plugin Flaws

guest · Sep 2, 2020

Magento Sites Vulnerable to RCE Stemming From Magmi Plugin Flaws
September 1, 2020
https://threatpost.com/magento-sites-vulnerable-to-rce-stemming-from-magmi-plugin-flaws/158864/

Researchers have disclosed two flaws that could enable remote code execution attacks on the Magento Mass Import (Magmi) plugin, an open source database client that imports data into Magento.

Magmi is a Magento database client written in PHP, which is used to perform raw bulk operations on the models of an online store. A patch has only been published for one of the two flaws (CVE-2020-5777), in Magmi version 0.7.24, Sunday. At the time of disclosure, however, there was still no patch available for two second flaw (CVE-2020-5776), said researchers.

“To reduce your risk in the meantime, we recommend disabling or uninstalling the plugin altogether until a patch is available, as well as refraining from active web browsing while authenticated to Magmi,” said researchers with Tenable in a Tuesday post.
Click to expand...

The Flaws
The unpatched flaw, CVE-2020-5776, is a cross-site request forgery (CSRF) vulnerability affecting Magmi up to version 0.7.24. While this flaw has a CVSSv2 score of 6.8 out of 10 (making it medium severity), vulnerability database VulDB classified it as critical.

The second, now patched flaw, CVE-2020-5777, is an authentication bypass flaw in Magmi for Magento version 0.7.23 and below. This flaw also has a CVSSv2 score of 6.8 out of 10, making it medium severity, researchers told Threatpost.
“We have since sent requests for updates and have not received any. However, the developers released a new version of the plugin on August 30 to address one of the two vulnerabilities (CVE-2020-5777),” they said.
Click to expand...

Tenable: CVE-2020-5776, CVE-2020-5777: Multiple Vulnerabilities in the MAGMI Magento Mass Import Plugin

Tenable Research discovers multiple vulnerabilities in the MAGMI Magento plugin that could lead to remote code execution on a vulnerable Magento site
Click to expand...

Log in or Sign up

Magento Sites Vulnerable to RCE Stemming From Magmi Plugin Flaws

guest Guest

Log in or Sign up

Magento Sites Vulnerable to RCE Stemming From Magmi Plugin Flaws

guest Guest

Useful Searches