![Vulnerabilities discovered in the Magento Mass Import plugin: Tenable Research Vulnerabilities discovered in the Magento Mass Import plugin: Tenable Research](https://varindia.com/public/index.php/storage/news/uploads/2018/02/5f4f51b248012.jpg)
Two vulnerabilities have been discovered in the Magento Mass Import (MAGMI) plugin. Tenable Research discovered and disclosed the vulnerabilities. This plugin was the subject of an FBI flash security alert in May as attackers were actively exploiting CVE-2017-7391 against vulnerable Magento sites.
CVE-2020-5776 is a cross-site request forgery vulnerability in MAGMI for Magento. An attacker could exploit this vulnerability to perform an attack by tricking a Magento Administrator into clicking on a link while they are authenticated to MAGMI. The attacker could hijack the administrator's sessions, allowing them to execute arbitrary code on the server where MAGMI is hosted.
CVE-2020-5777 is authentication bypass vulnerability in MAGMI for Magento version 0.7.23 and below due to the presence of a fallback mechanism using default credentials. An attacker could force the database connection to fail due to a database denial of service (DB- DoS) attack, then authenticate to MAGMI using the default credentials.
A patch has been published for CVE-2020-5777 in MAGMI version 0.7.24 on August 30. However, there was still no patch available for CVE-2020-5776.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.