Magento Mass Importer Unauthenticated Access
critical Web App Scanning 插件 ID 112571
语言:
简介
Magento Mass Importer Unauthenticated Access描述
Magento Mass Importer (Magmi) is a Magento database client used to perform raw bulk operations on the models of the online store. The purpose of this software is to help Magento websites administrators to manage their catalog through a dedicated web interface. By directly accessing the Magmi URL with no authentication required, an attacker could achieve a remote code execution on the target application or other unintended operations.解决方案
Authentication should be enforced to prevent unauthorized access to the Magmi interface. However, as the Magmi application is no more maintained and contains known issues, it is recommended to disable or remove it.另见
插件详情
严重性: Critical
ID: 112571
类型: remote
发布时间: 8/28/2020
最近更新时间: 9/7/2021
扫描模板: api, basic, full, pci, scan
风险信息
VPR
风险因素: High
分数: 7.5
CVSS v2
风险因素: Critical
基本分数: 10
矢量: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS 分数来源: Tenable
CVSS v3
风险因素: Critical
基本分数: 10
矢量: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS 分数来源: Tenable
漏洞信息
可利用: true
易利用性: Exploits are available
参考资料信息
CWE: 284
OWASP: 2010-A8, 2013-A7, 2013-A9, 2017-A5, 2017-A9, 2021-A1, 2021-A6
WASC: Insufficient Authorization
CAPEC: 19, 441, 478, 479, 502, 503, 536, 546, 550, 551, 552, 556, 558, 562, 563, 564, 578
DISA STIG: APSC-DV-000460, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)
ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-3, sp800_53-CM-6b
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-1.4.2, 4.0.2-14.2.1