Three vulnerabilities in MegaBIP software

CVE ID	CVE-2025-3893
Publication date	23 May 2025
Vendor	Jan Syski
Product	MegaBIP
Vulnerable versions	All through 5.19
Vulnerability type (CWE)	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Report source	Report to CERT Polska
CVE ID	CVE-2025-3894
Publication date	23 May 2025
Vendor	Jan Syski
Product	MegaBIP
Vulnerable versions	All through 5.19
Vulnerability type (CWE)	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source	Report to CERT Polska
CVE ID	CVE-2025-3895
Publication date	23 May 2025
Vendor	Jan Syski
Product	MegaBIP
Vulnerable versions	All through 5.19
Vulnerability type (CWE)	Small Space of Random Values (CWE-334)
Report source	Report to CERT Polska

Description

CERT Polska has received a report about vulnerabilities in MegaBIP software and participated in coordination of their disclosure.

The vulnerability CVE-2025-3893: While editing pages managed by MegaBIP a user with high privileges is prompted to give a reasoning for performing this action. Input provided by the the user is not sanitized, leading to SQL Injection vulnerability.

The vulnerability CVE-2025-3894: Text editor embedded into MegaBIP software does not neutralize user input allowing Stored XSS attacks on other users. In order to use the editor high privileges are required.

The vulnerability CVE-2025-3895: Token used for resetting passwords in MegaBIP software are generated using a small space of random values combined with a queryable value. It allows an unauthenticated attacker who know user login names to brute force these tokens and change account passwords (including these belonging to administrators).

Version 5.20 of MegaBIP fixes these issues.

Credits

We thank Kamil Szczurowski and Robert Kruczek for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.