Main Vulnerability Database SB2020090406

SB2020090406 - Improper Authentication in MAGMI

Published: September 4, 2020

Security Bulletin ID SB2020090406

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Authentication (CVE-ID: CVE-2020-5777)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the affected software allows default magmi:magmi credentials to be used in the event a database connection fails. A remote attacker can authenticate with default credentials and execute arbitrary commands on the server by uploading a php webshell.

Remediation

Install update from vendor's website.

References

https://www.tenable.com/security/research/tra-2020-51
https://github.com/dweeves/magmi-git/blob/18bd9ec905c90bfc9eaed0c2bf2d3525002e33b9/magmi/inc/magmi_auth.php#L35