CVE-2014-8770: Remote File Inclusion (RFI)

November 13, 2014 (updated July 16, 2019)

MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability (RFI) which allows an attacker to upload essentially any PHP file (without any sanity checks). This PHP file could then be used to skim credit card data, rewrite files, run remote commands, delete files, etc. Essentially, this gives attacker ability to execute remote commands on the vulnerable server.

References

github.com/dweeves/magmi-git/commit/da400ea5772dd7427c2c1732a6a3a29363bbabdf
www.exploit-db.com/exploits/35052/

Detect and mitigate CVE-2014-8770 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →