Detections
Analytics
Magento Mass Importer < 0.7.23 Cross-Site Scripting
medium Web App Scanning Plugin ID 112441
Language:
Synopsis
Magento Mass Importer < 0.7.23 Cross-Site ScriptingDescription
Magento Mass Importer (Magmi) is a Magento database client used to perform raw bulk operations on the models of the online store. Magento Mass Importer versions before 0.7.23 suffer from a cross-site scripting vulnerability through the prefix parameter of the /magmi/web/ajax_gettime.php URL, allowing an attacker to inject HTML or javascript code in the context of the vulnerable application. The attacker could leverage this vulnerability to target Magento privileged users and to gain access to sensitive information or to perform modifications on behalf of this user.Solution
Magento Mass Importer version 0.7.23 fixes the vulnerability but is still in development and has known issues. Therefore, it is recommended to remove the software.See Also
https://github.com/dweeves/magmi-git/issues/522
https://www.documentcloud.org/documents/6893935-FBI-Flash-Alert-MU-000127-MW.html
Plugin Details
Severity: Medium
ID: 112441
Type: remote
Family: Component Vulnerability
Published: 6/11/2020
Updated: 9/7/2021
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: Medium
Score: 4.6
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS Score Source: CVE-2017-7391
CVSS v3
Risk Factor: Medium
Base Score: 6.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Score Source: CVE-2017-7391
Vulnerability Information
Exploit Available: true
Exploit Ease: Exploits are available
Reference Information
CVE: CVE-2017-7391
BID: 97311
CWE: 79
OWASP: 2010-A2, 2013-A3, 2013-A9, 2017-A7, 2017-A9, 2021-A3, 2021-A6
WASC: Cross-Site Scripting
CAPEC: 209, 588, 591, 592, 63, 85
DISA STIG: APSC-DV-002490, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b, sp800_53-SI-10
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.3.3