{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5514", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "state": "PUBLISHED", "assignerShortName": "twcert", "dateReserved": "2024-05-30T01:40:43.656Z", "datePublished": "2024-05-30T02:14:46.713Z", "dateUpdated": "2024-08-01T21:18:05.342Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MinMax CMS", "vendor": "MinMax Digital Technology", "versions": [{"status": "affected", "version": "unknown"}]}], "datePublic": "2024-05-30T02:06:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "MinMax CMS from MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs."}], "value": "MinMax CMS from\u00a0MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs."}], "impacts": [{"capecId": "CAPEC-190", "descriptions": [{"lang": "en", "value": "CAPEC-190 Reverse Engineer an Executable to Expose Assumed Hidden Functionality"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-912", "description": "CWE-912: Hidden Functionality", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-05-30T02:14:46.713Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Please ask the vendor for advice."}], "value": "Please ask the vendor for advice."}], "source": {"advisory": "TVN-202405006", "discovery": "EXTERNAL"}, "title": "MinMax CMS - Hidden Functionality", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5514", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-30T14:29:44.054873Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:minmax:minmax:-:*:*:*:*:*:*:*"], "vendor": "minmax", "product": "minmax", "versions": [{"status": "affected", "version": "-"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:02:49.067Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:18:05.342Z"}, "title": "CVE Program Container", "references": [{"tags": ["third-party-advisory", "x_transferred"], "url": "https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html", "tags": ["third-party-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:18:05.342Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5514", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-30T14:29:44.054873Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:minmax:minmax:-:*:*:*:*:*:*:*"], "vendor": "minmax", "product": "minmax", "versions": [{"status": "affected", "version": "-"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-30T14:30:19.535Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "MinMax CMS - Hidden Functionality", "source": {"advisory": "TVN-202405006", "discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-190", "descriptions": [{"lang": "en", "value": "CAPEC-190 Reverse Engineer an Executable to Expose Assumed Hidden Functionality"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MinMax Digital Technology", "product": "MinMax CMS", "versions": [{"status": "affected", "version": "unknown"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Please ask the vendor for advice.", "supportingMedia": [{"type": "text/html", "value": "Please ask the vendor for advice.", "base64": false}]}], "datePublic": "2024-05-30T02:06:00.000Z", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "MinMax CMS from\u00a0MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs.", "supportingMedia": [{"type": "text/html", "value": "MinMax CMS from MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-912", "description": "CWE-912: Hidden Functionality"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-05-30T02:14:46.713Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5514", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:18:05.342Z", "dateReserved": "2024-05-30T01:40:43.656Z", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "datePublished": "2024-05-30T02:14:46.713Z", "assignerShortName": "twcert"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MinMax CMS from\u00a0MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs."}, {"lang": "es", "value": "MinMax CMS de MinMax Digital Technology contiene una cuenta de administrador oculta con una contrase\u00f1a fija que no se puede eliminar ni deshabilitar desde la interfaz de administraci\u00f3n. Los atacantes remotos que obtienen esta cuenta pueden eludir las restricciones de control de acceso a IP e iniciar sesi\u00f3n en el sistema backend sin ser registrados en los registros del sistema."}], "id": "CVE-2024-5514", "lastModified": "2024-05-30T13:15:41.297", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "twcert@cert.org.tw", "type": "Primary"}]}, "published": "2024-05-30T03:15:08.467", "references": [{"source": "twcert@cert.org.tw", "url": "https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}, {"lang": "en", "value": "CWE-912"}], "source": "twcert@cert.org.tw", "type": "Primary"}]}

{}