CVE-2024-6662 pertains to a Cross-Site Request Forgery (CSRF) vulnerability (CWE-352). This weakness allows malicious actors to craft deceptive requests, potentially leading users to unintentionally execute commands. Specifically, a user might be lured to a harmful website that emits a POST request to MegaBIP’s endpoint at /edytor/index.php?id=7,7,0. If an admin-level user is logged in when this request is triggered, it can create new user accounts and grant administrative permissions without the user’s consent.
The disclosure of CVE-2024-6880 emerged from an independent investigation by CERT Polska. This vulnerability involves the exposure of sensitive information within accessible files or directories (CWE-538). During the MegaBIP installation process, users are prompted to change the default path to the administrative portal, which is included by the developer as a security measure. However, the public code of /registrado.php exposes this path, making it easier for attackers to exploit this weakness and attempt hijacking or other malicious activities.
Both vulnerabilities significantly compromise the security of MegaBIP installations, especially for those using versions prior to 5.15. Users are urged to be cautious and upgrade their systems to mitigate risks associated with these vulnerabilities. CERT Polska has coordinated the process of disclosing these issues to ensure users are informed and can take protective measures.
Further information regarding coordinated vulnerability disclosures can be found on CERT Polska’s website. The existence of these vulnerabilities highlights the importance of ongoing software updates and security best practices to protect user data and maintain system integrity.
Enlace de la fuente, haz clic para tener más información