cbcvebase.
CVE-2017-7391
published 2017-04-01

CVE-2017-7391: A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to…

PriorityP279medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.17%
94.2th percentile
A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the 'magmi-git-master/magmi/web/ajax_gettime.php' URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

Affected

2 ranges
VendorProductVersion rangeFixed in
dweevesmagmi>= 0 < 0.7.240.7.24
magmi_projectmagmi

Detection & IOCsextracted from sources · hover to see the quote

path/magmi/web/ajax_gettime.php
url{{BaseURL}}/magmi/web/ajax_gettime.php?prefix=%22%3E%3Cscript%3Ealert(document.domain);%3C/script%3E%3C
  • Send a GET request to /magmi/web/ajax_gettime.php with the `prefix` parameter set to the XSS payload `"%3E%3Cscript%3Ealert(document.domain);%3C/script%3E%3C`; a vulnerable instance will reflect `">alert(document.domain);<` in the HTML body with a text/html Content-Type header and HTTP 200 status.
  • Use Shodan query `http.component:"magento"` to identify internet-exposed Magento instances that may have the MAGMI plugin installed and be susceptible to CVE-2017-7391.
  • CVE-2017-7391 was observed being exploited in the wild against vulnerable Magento sites, as noted in an FBI flash security alert (May 2020); prioritize detection on Magento deployments running MAGMI 0.7.22 or below.
  • ·The XSS is triggered via the `prefix` GET parameter; the vulnerable parameter name is required for accurate detection rule scoping.

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.