GHSA-cv7m-wc7g-7gfp

Suggest an improvement
Source
https://github.com/advisories/GHSA-cv7m-wc7g-7gfp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-cv7m-wc7g-7gfp/GHSA-cv7m-wc7g-7gfp.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-cv7m-wc7g-7gfp
Aliases
  • CVE-2020-5776
Published
2021-05-06T18:54:41Z
Modified
2023-11-01T04:53:25.401175Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Cross-Site Request Forgery in MAGMI
Details

All versions of MAGMI up to and including version 0.7.24 are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.

Database specific
{
    "nvd_published_at": "2020-09-01T21:15:00Z",
    "github_reviewed_at": "2021-05-05T19:10:44Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-352"
    ]
}
References

Affected packages

Packagist / dweeves/magmi

Package

Name
dweeves/magmi
Purl
pkg:composer/dweeves/magmi

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.7.24

Affected versions

0.*

0.7.19a
0.7.19
0.7.20
0.7.21
0.7.22
0.7.24