Magmi – Cross-Site Scripting v.0.7.22

By
Anandhu Krishnan
Published on
10 Jan 2022
Vulnerability

Description

Magmi is a Magento Mass Importer developed as a magento DATABASE client, that operates directly in SQL

Cross-Site Scripting (XSS) vulnerability has been found in Magmi v.0.7.22. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the url magmi-git-master/magmi/web/ajax_gettime.php

This vulnerability occurs when malicious scripts are injected into trusted websites. Generally in the form of a browser side script, to a different end-user. The browser will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information These scripts can even rewrite the content of the HTML page. And also, attackers can pretend as authorized users via session cookies, allowing them to perform any action allowed by the user’s account.

Recommendation

  • Update Magmi to the latest version.

Written by
Anandhu Krishnan
Anandhu Krishnan
Lead Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days