Description
Magmi is a Magento Mass Importer developed as a magento DATABASE client, that operates directly in SQL
Cross-Site Scripting (XSS) vulnerability has been found in Magmi v.0.7.22. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the url magmi-git-master/magmi/web/ajax_gettime.php
This vulnerability occurs when malicious scripts are injected into trusted websites. Generally in the form of a browser side script, to a different end-user. The browser will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information These scripts can even rewrite the content of the HTML page. And also, attackers can pretend as authorized users via session cookies, allowing them to perform any action allowed by the user’s account.
Recommendation
- Update Magmi to the latest version.
