Report an incident
Back
  • About us
  • News
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerability in MegaBIP and SmodBIP software
20 December 2023 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2023-5378
Publication date 20 December 2023
Vendor Jan Syski
Product SmodBIP and MegaBIP
Vulnerable versions SmodBIP: all, MegaBIP: all through 4.36.2
Vulnerability type (CWE) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Report source Own research

Description

During its own research, CERT Polska has found a Stored XSS (Cross-site scripting) vulnerability in both MegaBIP (currently being maintained) and SmodBIP (out-of-support) CMS software. It allows any non-registered user who knows the administration panel address to embed a script that might be executed in an administrator's browser. One of possible outcomes is creation of a new account with administrative privileges, leading to a full website compromise. The ID CVE-2023-5378 has been assigned to this vulnerability.

MegaBIP 4.36.2 and SmodBIP 2.21 (latest available) are vulnerable. It is safe to assume that all versions of SmodBIP and MegaBIP <= 4.36.2 are affected. MegaBIP 5.08 was tested and is not vulnerable. However, a precise range of vulnerable versions remains unknown.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.