CVE-2020-5776 – dweeves/magmi

Package

Manager: composer
Name: dweeves/magmi
Vulnerable Version: >=0 <=0.7.24

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.70989 pctl0.98655

Details

Cross-Site Request Forgery in MAGMI All versions of MAGMI up to and including version 0.7.24 are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.

Metadata

Created: 2021-05-06T18:54:41Z
Modified: 2021-05-05T19:10:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-cv7m-wc7g-7gfp/GHSA-cv7m-wc7g-7gfp.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-cv7m-wc7g-7gfp
Finding: F007
Auto approve: 1