Magmi – Cross-Site Scripting v.0.7.22

By
Anandhu Krishnan
Published on
10 Jan 2022
Vulnerability

Description

Magmi is a Magento Mass Importer developed as a magento DATABASE client, that operates directly in SQL

Cross-Site Scripting (XSS) vulnerability has been found in Magmi v.0.7.22. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the url magmi-git-master/magmi/web/ajax_gettime.php

This vulnerability occurs when malicious scripts are injected into trusted websites. Generally in the form of a browser side script, to a different end-user. The browser will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information These scripts can even rewrite the content of the HTML page. And also, attackers can pretend as authorized users via session cookies, allowing them to perform any action allowed by the user’s account.

Recommendation

  • Update Magmi to the latest version.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Anandhu Krishnan
Anandhu Krishnan
Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment