Report an incident
Back
  • About us
  • News
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerabilities in CemiPark software
09 May 2024 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2024-4423
Publication date 09 May 2024
Vendor CEMI Tomasz Pawełek
Product CemiPark
Vulnerable versions 4.5, 4.7, 5.03 and potentially others
Vulnerability type (CWE) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Report source Report to CERT Polska
CVE ID CVE-2024-4424
Publication date 09 May 2024
Vendor CEMI Tomasz Pawełek
Product CemiPark
Vulnerable versions 4.5, 4.7, 5.03 and potentially others
Vulnerability type (CWE) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Report source Report to CERT Polska
CVE ID CVE-2024-4425
Publication date 09 May 2024
Vendor CEMI Tomasz Pawełek
Product CemiPark
Vulnerable versions 4.5, 4.7, 5.03 and potentially others
Vulnerability type (CWE) Plaintext Storage of a Password (CWE-256)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerabilities in CemiPark software and participated in coordination of their disclosure.

The vulnerability CVE-2024-4423 allows the authentication bypass due to improper validation of user-entered data. An attacker who has network access to the login panel can log in with administrator rights to the application.

The vulnerability CVE-2024-4424 allows the stored cross-site scripting (XSS) attack. The access control module does not properly validate user-entered data. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user's browser space.

The vulnerability CVE-2024-4425 is about storing other services, such as FTP or SIP, credentials in plain-text. An attacker who gained unauthorized access to the device can retrieve clear text passwords.

These issues affect CemiPark software: 4.5, 4.7, 5.03 (which were tested by the finder) and potentially others. The vendor refused to provide the specific range of affected products.

Credits

We thank Dariusz Gońda for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.