Tenable Research has discovered and disclosed two vulnerabilities in the Magento Mass Import (MAGMI) plugin. This plugin was the subject of an FBI flash security alert in May as attackers were actively exploiting CVE-2017-7391 against vulnerable Magento sites.
CVE-2020-5776 is a cross-site request forgery vulnerability in MAGMI for Magento. An attacker could exploit this vulnerability to perform an attack by tricking a Magento Administrator into clicking on a link while they are authenticated to MAGMI. The attacker could hijack the administrator’s sessions, allowing them to execute arbitrary code on the server where MAGMI is hosted.
CVE-2020-5777 is an authentication bypass vulnerability in MAGMI for Magento version 0.7.23 and below due to the presence of a fallback mechanism using default credentials. An attacker could force the database connection to fail due to a database denial of service (DB- DoS) attack, then authenticate to MAGMI using the default credentials.
A patch has been published for CVE-2020-5777 in MAGMI version 0.7.24 on August 30. However, there was still no patch available for CVE-2020-5776.
Here’s a full analysis by Tenable Research.