Lucene search

GitHub Advisory DatabaseGHSA-CV7M-WC7G-7GFP

HistoryMay 06, 2021 - 6:54 p.m.

Cross-Site Request Forgery in MAGMI

2021-05-0618:54:41

CWE-352

GitHub Advisory Database

github.com

magmi

cross-site request forgery

remote code execution

csrf

vulnerability

admin session

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.35

Percentile

97.1%

JSON

All versions of MAGMI up to and including version 0.7.24 are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.

Affected configurations

Vulners

Node

dweevesmagmiRange≤0.7.24

VendorProductVersionCPE
dweevesmagmi*cpe:2.3:a:dweeves:magmi:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
dweeves	magmi	*	cpe:2.3:a:dweeves:magmi::::::::

References

github.com/advisories/GHSA-cv7m-wc7g-7gfp

nvd.nist.gov/vuln/detail/CVE-2020-5776

www.tenable.com/security/research/tra-2020-51

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.35

Percentile

97.1%

JSON

Related for GHSA-CV7M-WC7G-7GFP