Magmi – Cross-Site Scripting v.0.7.22

By
Anandhu Krishnan
Published on
10 Jan 2022
Vulnerability

Description

Magmi is a Magento Mass Importer developed as a magento DATABASE client, that operates directly in SQL

Cross-Site Scripting (XSS) vulnerability has been found in Magmi v.0.7.22. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the url magmi-git-master/magmi/web/ajax_gettime.php

This vulnerability occurs when malicious scripts are injected into trusted websites. Generally in the form of a browser side script, to a different end-user. The browser will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information These scripts can even rewrite the content of the HTML page. And also, attackers can pretend as authorized users via session cookies, allowing them to perform any action allowed by the user’s account.

Recommendation

  • Update Magmi to the latest version.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Anandhu Krishnan
Anandhu Krishnan
Lead Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.