Dweeves Magmi vulnerabilities
6 known vulnerabilities affecting dweeves/magmi.
Total CVEs
6
CISA KEV
0
Public exploits
6
Exploited in wild
3
Severity breakdown
CRITICAL1HIGH1MEDIUM4
Vulnerabilities
Page 1 of 1
CVE-2015-2067P2MEDIUMExploitedPoC≥ 0, ≤ 0.7.212022-05-13
CVE-2015-2067 [MEDIUM] CWE-22 MAGMI plugin for Magento Server Directory Traversal
MAGMI plugin for Magento Server Directory Traversal
Directory traversal vulnerability in web/ajax_pluginconf.php in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
ghsaosv
CVE-2017-7391P2MEDIUMExploitedPoC≥ 0, < 0.7.242022-05-17
CVE-2017-7391 [MEDIUM] CWE-79 Magmi XSS Vulnerability
Magmi XSS Vulnerability
A Cross-Site Scripting (XSS) was discovered in Magmi 0.7.22. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the `magmi-git-master/magmi/web/ajax_gettime.php` URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
ghsaosv
CVE-2020-5776P2MEDIUMExploitedPoC≥ 0, ≤ 0.7.242021-05-06
CVE-2020-5776 [MEDIUM] CWE-352 Cross-Site Request Forgery in MAGMI
Cross-Site Request Forgery in MAGMI
All versions of MAGMI up to and including version 0.7.24 are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.
ghsaosv
CVE-2020-5777P1CRITICALPoC≥ 0, < 0.7.242021-05-06
CVE-2020-5777 [CRITICAL] CWE-287 Authentication bypass in MAGMI
Authentication bypass in MAGMI
MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. A remote attacker can trigger this connection failure if the Mysql setting max_connections (default 151) is lower than Apache (or another web server) setting MaxRequestWorkers (formerly MaxClients) (default 256). This can be done by se
ghsaosv
CVE-2014-8770P2HIGHPoC≥ 0, ≤ 0.7.17a2022-05-14
CVE-2014-8770 [HIGH] CWE-94 MAGMI plugin for Magento Unsafe File Upload
MAGMI plugin for Magento Unsafe File Upload
Unrestricted file upload vulnerability in `magmi/web/magmi.php` in the MAGMI (aka Magento Mass Importer) plugin 0.7.17a and earlier for Magento Community Edition (CE) allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file, then accessing the PHP file via a direct request to it in `magmi/plugins/`.
ghsaosv
CVE-2015-2068P4MEDIUMPoC≥ 0, < 0.7.222022-05-13
CVE-2015-2068 [MEDIUM] CWE-79 MAGMI cross-site scripting (XSS)
MAGMI cross-site scripting (XSS)
Multiple cross-site scripting (XSS) vulnerabilities in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allow remote attackers to inject arbitrary web script or HTML via the (1) profile parameter to web/magmi.php or (2) QUERY_STRING to web/magmi_import_run.php.
ghsaosv