CVE-2014-8770

Unrestricted file upload vulnerability in magmi/web/magmi.php in the MAGMI (aka Magento Mass Importer) plugin 0.7.17a and earlier for Magento Community Edition (CE) allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file, then accessing the PHP file via a direct request to it in magmi/plugins/.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:C/I:C/A:C
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 95%
VendorProductVersion
magmi_projectmagmi
𝑥
≤ 0.7.17a
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://osvdb.org/show/osvdb/113848
http://www.exploit-db.com/exploits/35052
http://osvdb.org/show/osvdb/113848
http://www.exploit-db.com/exploits/35052