Scorpio

**Name of the Vulnerable Software and Affected Versions** MAGMI plugin versions 0.7.17a and earlier **Description** The issue allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file, then accessing the PHP file via a direct request to it in `magmi/plugins/`. This is due to an unrestricted file upload vulnerability in `magmi/web/magmi.php`. **Recommendations** For MAGMI plugin versions 0.7.17a and earlier, consider disabling the `magmi/web/magmi.php` file until a patch is available to prevent remote authenticated users from uploading malicious files. Restrict access to the `magmi/plugins/` directory to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.