According to a report released by Tenable Research, there has been a discovery and disclosure of two distinct vulnerabilities in the MAGMI or the (Magento Mass Import) plugin. It must be noted that the MAGMI plugin was part of the subject of the FBI’s flash security alert, which was announced in May since attackers were exploiting CVE-2017-7391 against the highly vulnerable Magento sites.
CVE-2020-5776, in essence, is a cross-site request forgery vulnerability in MAGMI for Magento. Attackers can exploit the vulnerability to carry out an attack by simply tricking the Magento Administrator and persuading it to click on the link even as they get authenticated to the MAGMI plugin. Attackers can hijack all the sessions of the administrator, thus allowing for the execution of the arbitrary code onto the server wherein the MAGMI plugin is hosted.
CVE-2020-5777 is basically an authentication bypass vulnerability within MAGMI for Magento version 0.7.23 and below, as a result of the presence of a fallback system that uses default credentials. Attackers can cause the connection of the database to fail, owing to a database denial of service (DB- DoS) attack, and later authenticate to MAGMI with the help of default credentials. While a patch for CVE-2020-5777 within MAGMI version 0.7.24 has been published on the 30th of August, the patch for CVE-2020-5776 is yet to be released.
