CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6880 – CSRF in MegaBIP
https://notcve.org/view.php?id=CVE-2024-6880
10 Jan 2025 — During MegaBIP installation process, a user is encouraged to change a default path to administrative portal, as keeping it secret is listed by the author as one of the protection mechanisms. Publicly available source code of "/registered.php" discloses that path, allowing an attacker to attempt further attacks. This issue affects MegaBIP software versions below 5.15 • https://cert.pl/en/posts/2024/09/CVE-2024-6680 • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6662 – CSRF in MegaBIP
https://notcve.org/view.php?id=CVE-2024-6662
10 Jan 2025 — Websites managed by MegaBIP in versions below 5.15 are vulnerable to Cross-Site Request Forgery (CSRF) as the form available under "/edytor/index.php?id=7,7,0" lacks protection mechanisms. A user could be tricked into visiting a malicious website, which would send POST request to this endpoint. If the victim is a logged in administrator, this could lead to creation of new accounts and granting of administrative permissions. Websites managed by MegaBIP in versions below 5.15 are vulnerable to Cross-Site Requ... • https://cert.pl/en/posts/2024/09/CVE-2024-6662 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6527 – SQL Injection in MegaBIP
https://notcve.org/view.php?id=CVE-2024-6527
09 Jul 2024 — SQL Injection vulnerability in parameter "w" in file "druk.php" in MegaBIP software allows unauthorized attacker to disclose the contents of the database and obtain administrator's token to modify the content of pages. This issue affects MegaBIP software versions through 5.13. SQL Injection vulnerability in parameter "w" in file "druk.php" in MegaBIP software allows unauthorized attacker to disclose the contents of the database and obtain administrator's token to modify the content of pages. This issue affe... • https://cert.pl/en/posts/2024/07/CVE-2024-6527 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6160 – SQL Injection in MegaBIP
https://notcve.org/view.php?id=CVE-2024-6160
24 Jun 2024 — SQL Injection vulnerability in MegaBIP software allows attacker to disclose the contents of the database, obtain session cookies or modify the content of pages. This issue affects MegaBIP software versions through 5.12.1. SQL Injection vulnerability in MegaBIP software allows attacker to disclose the contents of the database, obtain session cookies or modify the content of pages. This issue affects MegaBIP software versions through 5.12.1. • https://cert.pl/en/posts/2024/06/CVE-2024-6160 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1659 – Arbitrary File Upload in MegaBIP
https://notcve.org/view.php?id=CVE-2024-1659
12 Jun 2024 — Arbitrary File Upload vulnerability in MegaBIP software allows attacker to upload any file to the server (including a PHP code file) without an authentication. This issue affects MegaBIP software versions through 5.10. La vulnerabilidad de carga arbitraria de archivos en el software MegaBIP permite a un atacante cargar cualquier archivo al servidor (incluido un archivo de código PHP) sin autenticación. Este problema afecta a las versiones del software MegaBIP hasta la 5.10. Arbitrary File Upload vulnerabili... • https://cert.pl/en/posts/2024/06/CVE-2024-1576 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1577 – Remote Code Execution in MegaBIP
https://notcve.org/view.php?id=CVE-2024-1577
12 Jun 2024 — Remote Code Execution vulnerability in MegaBIP software allows to execute arbitrary code on the server without requiring authentication by saving crafted by the attacker PHP code to one of the website files. This issue affects MegaBIP software versions through 5.11.2. La vulnerabilidad de ejecución remota de código en el software MegaBIP permite ejecutar código arbitrario en el servidor sin requerir autenticación al guardar el código PHP creado por el atacante en uno de los archivos del sitio web. Este prob... • https://cert.pl/en/posts/2024/06/CVE-2024-1576 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1576 – SQL Injection in MegaBIP
https://notcve.org/view.php?id=CVE-2024-1576
12 Jun 2024 — SQL Injection vulnerability in MegaBIP software allows attacker to obtain site administrator privileges, including access to the administration panel and the ability to change the administrator password. This issue affects MegaBIP software versions through 5.09. La vulnerabilidad de inyección SQL en el software MegaBIP permite al atacante obtener privilegios de administrador del sitio, incluido el acceso al panel de administración y la capacidad de cambiar la contraseña del administrador. Este problema afec... • https://cert.pl/en/posts/2024/06/CVE-2024-1576 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-5378 – Stored XSS in SmodBIP and MegaBIP
https://notcve.org/view.php?id=CVE-2023-5378
29 Jan 2024 — Improper Input Validation vulnerability in MegaBIP and already unsupported SmodBIP software allows for Stored XSS.This issue affects SmodBIP in all versions and MegaBIP in versions up to 4.36.2. MegaBIP 5.08 was tested and is not vulnerable. A precise range of vulnerable versions remains unknown. Vulnerabilidad de validación de entrada incorrecta en MegaBIP y el software SmodBIP que ya no es compatible permite almacenar XSS. Este problema afecta a SmodBIP en todas las versiones y a MegaBIP en versiones hast... • https://cert.pl/en/posts/2023/12/CVE-2023-5378 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •