Full Report
2 new vulnerabilities (CVE-2024-6662 and CVE-2024-6880) have been found in MegaBIP software.
Analysis Summary
# Vulnerability Summary: MegaBIP Software Flaws
## Vulnerability: CVE-2024-6662 (CSRF in Admin Panel)
## CVE Details
- CVE ID: CVE-2024-6662
- CVSS Score: N/A (Score not provided in the text)
- CWE: Cross-Site Request Forgery (CSRF) (CWE-352)
## Affected Systems
- Products: MegaBIP
- Versions: All before 5.15
- Configurations: Any instance where a logged-in administrator interacts with the vulnerable endpoint.
## Vulnerability Description
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw present in the form under the path `/edytor/index.php?id=7,7,0`. An unauthenticated malicious website can trick a logged-in administrator into sending a forged POST request to this endpoint. Successful exploitation can result in the creation of new user accounts, potentially granting them administrative permissions.
## Exploitation
- Status: PoC available (Implied via CERT Polska research coordination)
- Complexity: Medium (Requires the victim to be logged in as an administrator)
- Attack Vector: Network
## Impact
- Confidentiality: Potential
- Integrity: High (Risk of unauthorized admin permission changes)
- Availability: Low
## Remediation
### Patches
- Update MegaBIP to version **5.15** or later.
### Workarounds
- No specific workarounds detailed other than applying the patch.
## Detection
- Detection methods and tools: Monitoring for unexpected POST requests targeting the `/edytor/index.php` endpoint from untrusted external sources.
## References
- Vendor Advisory: Jan Syski (Implicitly patched in 5.15 release)
- Relevant links:
- cve org record: hxxps://www.cve.org/CVERecord?id=CVE-2024-6662
- CERT Polska CVD process: hxxps://cert.pl/en/cvd/
---
## Vulnerability: CVE-2024-6880 (Information Disclosure in Installation Path)
## CVE Details
- CVE ID: CVE-2024-6880
- CVSS Score: N/A (Score not provided in the text)
- CWE: Insertion of Sensitive Information into Externally-Accessible File or Directory (CWE-538)
## Affected Systems
- Products: MegaBIP
- Versions: All before 5.15
- Configurations: Default or non-modified installation paths.
## Vulnerability Description
During the installation process, the software encourages users to change the default path to the administrative portal, suggesting that keeping the path secret is a security mechanism. However, the publicly available source code for `/registered.php` explicitly discloses this default path, undermining the intended security posture. This allows attackers to easily locate and target the administrative portal for further attacks.
## Exploitation
- Status: PoC available (Implied via CERT Polska 'own research')
- Complexity: Low (Path disclosure is easily discoverable via source code review)
- Attack Vector: Network
## Impact
- Confidentiality: High (Administrative interface path disclosure)
- Integrity: Potential (Enables subsequent attacks)
- Availability: Low
## Remediation
### Patches
- Update MegaBIP to version **5.15** or later.
### Workarounds
- Manually ensure the administrative portal path is changed/obscured, **even after patching**, as the source code disclosure suggests a design weakness.
## Detection
- Detection methods and tools: Monitoring network traffic looking for probes against expected or standard administrative portal paths not corresponding to the intended path.
## References
- Vendor Advisory: Jan Syski (Implicitly patched in 5.15 release)
- Relevant links:
- cve org record: hxxps://www.cve.org/CVERecord?id=CVE-2024-6880