CVE ID | CVE-2024-1576 |
Publication date | 12 June 2024 |
Vendor | Jan Syski |
Product | MegaBIP |
Vulnerable versions | All through 5.09 |
Vulnerability type (CWE) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
Report source | Own research |
CVE ID | CVE-2024-1577 |
Publication date | 12 June 2024 |
Vendor | Jan Syski |
Product | MegaBIP |
Vulnerable versions | All through 5.11.2 |
Vulnerability type (CWE) | Improper Control of Generation of Code ('Code Injection') (CWE-94) |
Report source | Own research |
CVE ID | CVE-2024-1659 |
Publication date | 12 June 2024 |
Vendor | Jan Syski |
Product | MegaBIP |
Vulnerable versions | All through 5.10 |
Vulnerability type (CWE) | Unrestricted Upload of File with Dangerous Type (CWE-434) |
Report source | Own research |
Description
During its own research, CERT Polska has found three critical vulnerabilities in MegaBIP software and participated in coordination of their disclosure.
The vulnerability CVE-2024-1576 is SQL Injection vulnerability in MegaBIP software. It allows an attacker to obtain site administrator privileges, including access to the administration panel and the ability to change the administrator password. This issue affects MegaBIP software versions through 5.09.
The vulnerability CVE-2024-1577 allows to execute arbitrary code on the server without requiring authentication by saving crafted by the attacker PHP code to one of the website files. This issue affects MegaBIP software versions through 5.11.2.
The vulnerability CVE-2024-1659 allows an attacker to upload any file to the server (including a PHP code file) without an authentication. This issue affects MegaBIP software versions through 5.10.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.