CVE-2015-2068

NUCLEI

MAGMI < 0.7.22 - Cross-Site Scripting via Profile Parameter or QUERY_STRING

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-2068. PoCs published by SECUPENT. A Nuclei detection template is also available.

AI-analyzed exploit summary The exploit demonstrates a Local File Inclusion (LFI) vulnerability and Cross-Site Scripting (XSS) in the Magento Server MAGMI Plugin. The LFI allows reading arbitrary files via path traversal, while the XSS is achieved through improper input sanitization in URL parameters.

Description

Multiple cross-site scripting (XSS) vulnerabilities in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allow remote attackers to inject arbitrary web script or HTML via the (1) profile parameter to web/magmi.php or (2) QUERY_STRING to web/magmi_import_run.php.

Exploits (1)

exploitdb WORKING POC

by SECUPENT · textwebappsphp

https://www.exploit-db.com/exploits/35996

View Code ZIP pw:eip

The exploit demonstrates a Local File Inclusion (LFI) vulnerability and Cross-Site Scripting (XSS) in the Magento Server MAGMI Plugin. The LFI allows reading arbitrary files via path traversal, while the XSS is achieved through improper input sanitization in URL parameters.

Classification

Working Poc 90%

Attack Type

Info Leak | Xss

Complexity

Trivial

Reliability

Reliable

Target: MAGMI Plugin for Magento

No auth needed

Prerequisites: Access to the MAGMI web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Magento Server Mass Importer - Cross-Site Scripting

MEDIUMVERIFIEDby daffainfo

Shodan: http.component:"Magento" || http.component:"magento"

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/74879

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/130250/Magento-Server-MAGMI-Cross-Site-Scripting-Local-File-Inclusion.html

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/35996

Scores

EPSS 0.0194

EPSS Percentile 83.9%

Details

CWE

CWE-79

Status published

Products (2)

dweeves/magmi 0 - 0.7.22Packagist

magmi_project/magmi

Published Feb 24, 2015

Tracked Since Feb 18, 2026