CVE-2024-1576 - OpenCVE

SQL Injection vulnerability in MegaBIP software allows attacker to obtain site administrator privileges, including access to the administration panel and the ability to change the administrator password. This issue affects MegaBIP software versions through 5.09.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Megabip	Megabip

Configuration 1 [-]

cpe:2.3:a:megabip:megabip:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://cert.pl/en/posts/2024/06/CVE-2024-1576/
https://cert.pl/posts/2024/06/CVE-2024-1576/
https://megabip.pl/
https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej

History

Wed, 14 Aug 2024 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Megabip Megabip megabip
CPEs		cpe:2.3:a:megabip:megabip::::::::
Vendors & Products		Megabip Megabip megabip
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published: 2024-06-12T13:47:00.868Z

Updated: 2024-08-01T18:40:21.438Z

Reserved: 2024-02-16T09:29:48.287Z

Link: CVE-2024-1576

Vulnrichment

Updated: 2024-08-01T18:40:21.438Z

NVD

Status : Analyzed

Published: 2024-06-12T14:15:10.487

Modified: 2024-08-14T13:55:57.477

Link: CVE-2024-1576

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1576", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2024-02-16T09:29:48.287Z", "datePublished": "2024-06-12T13:47:00.868Z", "dateUpdated": "2024-08-01T18:40:21.438Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MegaBIP", "repo": "https://megabip.pl/pobierz/1", "vendor": "Jan Syski", "versions": [{"lessThanOrEqual": "5.09", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SQL Injection vulnerability in MegaBIP software allows attacker to obtain site administrator privileges, including access to the administration panel and the ability to change the administrator password. <p>This issue affects MegaBIP software versions through 5.09.</p>"}], "value": "SQL Injection vulnerability in MegaBIP software allows attacker to obtain site administrator privileges, including access to the administration panel and the ability to change the administrator password.\u00a0This issue affects MegaBIP software versions through 5.09."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "IRRECOVERABLE", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/R:I/V:D/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-06-12T13:52:09.785Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2024/06/CVE-2024-1576/"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/posts/2024/06/CVE-2024-1576/"}, {"tags": ["product"], "url": "https://megabip.pl/"}, {"tags": ["government-resource"], "url": "https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej"}], "source": {"discovery": "UNKNOWN"}, "title": "SQL Injection in MegaBIP", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "jan_syski", "product": "megabip", "cpes": ["cpe:2.3:a:jan_syski:megabip:5.09:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.09", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-12T15:29:33.196574Z", "id": "CVE-2024-1576", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T15:32:28.824Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:40:21.438Z"}, "title": "CVE Program Container", "references": [{"tags": ["third-party-advisory", "x_transferred"], "url": "https://cert.pl/en/posts/2024/06/CVE-2024-1576/"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://cert.pl/posts/2024/06/CVE-2024-1576/"}, {"tags": ["product", "x_transferred"], "url": "https://megabip.pl/"}, {"tags": ["government-resource", "x_transferred"], "url": "https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://cert.pl/en/posts/2024/06/CVE-2024-1576/", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://cert.pl/posts/2024/06/CVE-2024-1576/", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://megabip.pl/", "tags": ["product", "x_transferred"]}, {"url": "https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej", "tags": ["government-resource", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:40:21.438Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1576", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-12T15:29:33.196574Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:jan_syski:megabip:5.09:*:*:*:*:*:*:*"], "vendor": "jan_syski", "product": "megabip", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "5.09"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T15:32:24.256Z"}}], "cna": {"title": "SQL Injection in MegaBIP", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "IRRECOVERABLE", "baseScore": 9.3, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/R:I/V:D/RE:M/U:Amber", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://megabip.pl/pobierz/1", "vendor": "Jan Syski", "product": "MegaBIP", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "5.09"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cert.pl/en/posts/2024/06/CVE-2024-1576/", "tags": ["third-party-advisory"]}, {"url": "https://cert.pl/posts/2024/06/CVE-2024-1576/", "tags": ["third-party-advisory"]}, {"url": "https://megabip.pl/", "tags": ["product"]}, {"url": "https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej", "tags": ["government-resource"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "SQL Injection vulnerability in MegaBIP software allows attacker to obtain site administrator privileges, including access to the administration panel and the ability to change the administrator password.\u00a0This issue affects MegaBIP software versions through 5.09.", "supportingMedia": [{"type": "text/html", "value": "SQL Injection vulnerability in MegaBIP software allows attacker to obtain site administrator privileges, including access to the administration panel and the ability to change the administrator password. <p>This issue affects MegaBIP software versions through 5.09.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-06-12T13:52:09.785Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1576", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:40:21.438Z", "dateReserved": "2024-02-16T09:29:48.287Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2024-06-12T13:47:00.868Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:megabip:megabip:*:*:*:*:*:*:*:*", "matchCriteriaId": "EAA02B55-31B3-4027-BBF6-7E2D201B2D43", "versionEndIncluding": "5.09", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL Injection vulnerability in MegaBIP software allows attacker to obtain site administrator privileges, including access to the administration panel and the ability to change the administrator password.\u00a0This issue affects MegaBIP software versions through 5.09."}, {"lang": "es", "value": "La vulnerabilidad de inyecci\u00f3n SQL en el software MegaBIP permite al atacante obtener privilegios de administrador del sitio, incluido el acceso al panel de administraci\u00f3n y la capacidad de cambiar la contrase\u00f1a del administrador. Este problema afecta a las versiones del software MegaBIP hasta la 5.09."}], "id": "CVE-2024-1576", "lastModified": "2024-08-14T13:55:57.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "YES", "availabilityRequirements": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "recovery": "IRRECOVERABLE", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:I/V:D/RE:M/U:Amber", "version": "4.0", "vulnerabilityResponseEffort": "MODERATE", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2024-06-12T14:15:10.487", "references": [{"source": "cvd@cert.pl", "tags": ["Third Party Advisory"], "url": "https://cert.pl/en/posts/2024/06/CVE-2024-1576/"}, {"source": "cvd@cert.pl", "tags": ["Third Party Advisory"], "url": "https://cert.pl/posts/2024/06/CVE-2024-1576/"}, {"source": "cvd@cert.pl", "tags": ["Product"], "url": "https://megabip.pl/"}, {"source": "cvd@cert.pl", "tags": ["Press/Media Coverage"], "url": "https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "cvd@cert.pl", "type": "Secondary"}]}