Lucene search

CERT-PLVULNRICHMENT:CVE-2024-1577

HistoryJun 12, 2024 - 1:47 p.m.

CVE-2024-1577 Remote Code Execution in MegaBIP

2024-06-1213:47:31

CWE-94

CERT-PL

github.com

remote code execution

megabip

software vulnerability

server

authentication

php code

cve-2024-1577

CVSS4

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/VI:H/SI:N/VA:H/SA:N/AU:Y/U:Amber/R:I/V:D/RE:M

AI Score

8.5

Confidence

Low

EPSS

0.001

Percentile

23.6%

SSVC

Exploitation

none

Automatable

yes

Technical Impact

total

JSON

Remote Code Execution vulnerability in MegaBIP software allows to execute arbitrary code on the server without requiring authentication by saving crafted by the attacker PHP code to one of the website files. This issue affects MegaBIP software versions through 5.11.2.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:jan_syski:megabip:*:*:*:*:*:*:*:*"
    ],
    "vendor": "jan_syski",
    "product": "megabip",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "5.11.2"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

cert.pl/en/posts/2024/06/CVE-2024-1576/

cert.pl/posts/2024/06/CVE-2024-1576/

megabip.pl/

www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej

CVSS4

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/VI:H/SI:N/VA:H/SA:N/AU:Y/U:Amber/R:I/V:D/RE:M

AI Score

8.5

Confidence

Low

EPSS

0.001

Percentile

23.6%

SSVC

Exploitation

none

Automatable

yes

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2024-1577