Tenable discovers vulnerabilities in the Magento Mass Import plugin

Tenable Research has discovered and disclosed two vulnerabilities in the Magento Mass Import (MAGMI) plugin. This plugin was the subject of an FBI flash security alert in May as attackers were actively exploiting CVE-2017-7391 against vulnerable Magento sites.

CVE-2020-5776 is a cross-site request forgery vulnerability in MAGMI for Magento. An attacker could exploit this vulnerability to perform an attack by tricking a Magento Administrator into clicking on a link while they are authenticated to MAGMI. The attacker could hijack the administrator's sessions, allowing them to execute arbitrary code on the server where MAGMI is hosted.

CVE-2020-5777 is an authentication bypass vulnerability in MAGMI for Magento version 0.7.23 and below due to the presence of a fallback mechanism using default credentials. An attacker could force the database connection to fail due to a database denial of service (DB- DoS) attack, then authenticate to MAGMI using the default credentials.