Tenable discovers vulnerabilities in the Magento Mass Import plugin

From changeagentspr.wordpress.com

Magento plugin Magmi vulnerable to hijacking admin sessions

Tenable Research has discovered and disclosed two vulnerabilities in the Magento Mass Import (MAGMI) plugin. This plugin was the subject of an FBI flash security alert in May as attackers were actively exploiting CVE-2017-7391 against vulnerable Magento sites.

CVE-2020-5776 is a cross-site request forgery vulnerability in MAGMI for Magento. An attacker could exploit this vulnerability to perform an attack by tricking a Magento Administrator into clicking on a link while they are authenticated to MAGMI. The attacker could hijack the administrator’s sessions, allowing them to execute arbitrary code on the server where MAGMI is hosted.

Read more…