cbcvebase.
CVE-2014-8770
published 2014-11-13

CVE-2014-8770: Unrestricted file upload vulnerability in magmi/web/magmi.php in the MAGMI (aka Magento Mass Importer) plugin 0.7.17a and earlier for Magento Community Edition…

PriorityP258critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
6.54%
93.0th percentile
Unrestricted file upload vulnerability in magmi/web/magmi.php in the MAGMI (aka Magento Mass Importer) plugin 0.7.17a and earlier for Magento Community Edition (CE) allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file, then accessing the PHP file via a direct request to it in magmi/plugins/.

Affected

2 ranges
VendorProductVersion rangeFixed in
dweevesmagmi0 – 0.7.17a
magmi_projectmagmi<= 0.7.17a

Detection & IOCsextracted from sources · hover to see the quote

pathmagmi/web/magmi.php
pathmagmi/plugins/
urlhttp://<host>/magmi/web/magmi.php
urlhttp://<host>/magmi/plugins/evil.php
  • Monitor for ZIP file uploads to magmi/web/magmi.php followed by HTTP GET requests to magmi/plugins/ — this two-stage pattern (upload then access) is the exploitation sequence for CVE-2014-8770.
  • Alert on POST requests to magmi/web/magmi.php with multipart/form-data content containing a ZIP file, especially from authenticated sessions — the plugin upload functionality performs no sanity checks on file contents.
  • Detect PHP files appearing under the magmi/plugins/ directory that were not present before a ZIP upload event — attacker-dropped webshells will be extracted there.
  • Flag POST requests to any PHP file under magmi/plugins/ containing a 'command' parameter — this matches the webshell's $_POST['command'] execution mechanism.
  • Look for the string 'Plugin packaged installed' in HTTP responses to magmi/web/magmi.php — this confirms a successful plugin (potentially malicious) ZIP upload.
  • ·Exploitation requires authenticated access — unauthenticated attackers cannot directly exploit this vulnerability; however, MAGMI's authentication may be weak or bypassed in some deployments.
  • ·Affected versions are MAGMI 0.7.17a and earlier on Magento CE; the exploit was tested specifically against Magento CE 1.8 and older with MAGMI v0.7.17a.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.