CVE-2024-1577

Remote Code Execution vulnerability in MegaBIP software allows to execute arbitrary code on the server without requiring authentication by saving crafted by the attacker PHP code to one of the website files. This issue affects MegaBIP software versions through 5.11.2.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://cert.pl/en/posts/2024/06/CVE-2024-1576/	Third Party Advisory
https://cert.pl/posts/2024/06/CVE-2024-1576/	Third Party Advisory
https://megabip.pl/	Product
https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej	Press/Media Coverage
https://cert.pl/en/posts/2024/06/CVE-2024-1576/	Third Party Advisory
https://cert.pl/posts/2024/06/CVE-2024-1576/	Third Party Advisory
https://megabip.pl/	Product
https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej	Press/Media Coverage

Configurations

Configuration 1 (hide)

cpe:2.3:a:megabip:megabip:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-06-12 14:15

Updated : 2024-11-21 08:50

NVD link : CVE-2024-1577

Mitre link : CVE-2024-1577

CVE.ORG link : CVE-2024-1577

JSON object : View

Products Affected

megabip

megabip

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2024-1577", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "IRRECOVERABLE", "baseScore": 9.3, "automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:I/V:D/RE:M/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-06-12T14:15:10.683", "references": [{"url": "https://cert.pl/en/posts/2024/06/CVE-2024-1576/", "tags": ["Third Party Advisory"], "source": "cvd@cert.pl"}, {"url": "https://cert.pl/posts/2024/06/CVE-2024-1576/", "tags": ["Third Party Advisory"], "source": "cvd@cert.pl"}, {"url": "https://megabip.pl/", "tags": ["Product"], "source": "cvd@cert.pl"}, {"url": "https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej", "tags": ["Press/Media Coverage"], "source": "cvd@cert.pl"}, {"url": "https://cert.pl/en/posts/2024/06/CVE-2024-1576/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://cert.pl/posts/2024/06/CVE-2024-1576/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://megabip.pl/", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej", "tags": ["Press/Media Coverage"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-94"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "Remote Code Execution vulnerability in MegaBIP software allows to execute arbitrary code on the server without requiring authentication by saving\u00a0crafted by the attacker PHP code to one of the website files.\u00a0This issue affects MegaBIP software versions through 5.11.2."}, {"lang": "es", "value": "La vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo en el software MegaBIP permite ejecutar c\u00f3digo arbitrario en el servidor sin requerir autenticaci\u00f3n al guardar el c\u00f3digo PHP creado por el atacante en uno de los archivos del sitio web. Este problema afecta a todas las versiones del software MegaBIP."}], "lastModified": "2024-11-21T08:50:52.380", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:megabip:megabip:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8F6DA36F-518E-4F83-B106-126ADB3E42CC", "versionEndIncluding": "5.11.2"}], "operator": "OR"}]}], "sourceIdentifier": "cvd@cert.pl"}