Detections
Analytics
Magento Mass Importer Unauthenticated Access
critical Web App Scanning Plugin ID 112571
Language:
Synopsis
Magento Mass Importer Unauthenticated AccessDescription
Magento Mass Importer (Magmi) is a Magento database client used to perform raw bulk operations on the models of the online store. The purpose of this software is to help Magento websites administrators to manage their catalog through a dedicated web interface. By directly accessing the Magmi URL with no authentication required, an attacker could achieve a remote code execution on the target application or other unintended operations.Solution
Authentication should be enforced to prevent unauthorized access to the Magmi interface. However, as the Magmi application is no more maintained and contains known issues, it is recommended to disable or remove it.See Also
Plugin Details
Severity: Critical
ID: 112571
Type: remote
Family: Component Vulnerability
Published: 8/28/2020
Updated: 9/7/2021
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: High
Score: 7.5
CVSS v2
Risk Factor: Critical
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: Tenable
CVSS v3
Risk Factor: Critical
Base Score: 10
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Score Source: Tenable
Vulnerability Information
Exploit Available: true
Exploit Ease: Exploits are available
Reference Information
CWE: 284
OWASP: 2010-A8, 2013-A7, 2013-A9, 2017-A5, 2017-A9, 2021-A1, 2021-A6
WASC: Insufficient Authorization
CAPEC: 19, 441, 478, 479, 502, 503, 536, 546, 550, 551, 552, 556, 558, 562, 563, 564, 578
DISA STIG: APSC-DV-000460, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)
ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-3, sp800_53-CM-6b
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-1.4.2, 4.0.2-14.2.1