CVE-2014-8770

Name of the Vulnerable Software and Affected Versions MAGMI plugin versions 0.7.17a and earlier

Description The issue allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file, then accessing the PHP file via a direct request to it in magmi/plugins/. This is due to an unrestricted file upload vulnerability in magmi/web/magmi.php.

Recommendations For MAGMI plugin versions 0.7.17a and earlier, consider disabling the magmi/web/magmi.php file until a patch is available to prevent remote authenticated users from uploading malicious files. Restrict access to the magmi/plugins/ directory to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.