| CVE ID | CVE-2024-6662 |
| Publication date | 10 September 2024 |
| Vendor | Jan Syski |
| Product | MegaBIP |
| Vulnerable versions | All before 5.15 |
| Vulnerability type (CWE) | Cross-Site Request Forgery (CSRF) (CWE-352) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2024-6880 |
| Publication date | 10 September 2024 |
| Vendor | Jan Syski |
| Product | MegaBIP |
| Vulnerable versions | All before 5.15 |
| Vulnerability type (CWE) | Insertion of Sensitive Information into Externally-Accessible File or Directory (CWE-538) |
| Report source | Own research |
Description
CERT Polska has coordinated the process of disclosing vulnerability details.
The vulnerability CVE-2024-6662, which was reported to CERT Polska, allows Cross-Site Request Forgery (CSRF) attacks as the form available under /edytor/index.php?id=7,7,0 lacks protection mechanisms. A user could be tricked into visiting a malicious website, which would send POST request to this endpoint. If the victim is logged in as an administrator, this could lead to creation of new accounts and granting of administrative permissions.
During its own research, CERT Polska has found the vulnerability CVE-2024-6880. During MegaBIP installation process, a user is encouraged to change a default path to administrative portal, as keeping it secret is listed by the author as one of the protection mechanisms. Publicly available source code of /registered.php discloses that path, allowing an attacker to attempt further attacks.
These issues affect MegaBIP software in versions before 5.15.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.