PT-2025-3685 · Megabip · Megabip
Krzysztof Gawkowski
·
Published
2025-01-10
·
Updated
2025-01-10
·
CVE-2024-6662
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
MegaBIP versions prior to 5.15
Description
The issue affects websites managed by MegaBIP, where a form under the "/edytor/index.php?id=7,7,0" endpoint lacks protection mechanisms, making it vulnerable to Cross-Site Request Forgery (CSRF). An attacker could trick a logged-in administrator into visiting a malicious website, which would send a POST request to this endpoint, potentially leading to the creation of new accounts and the granting of administrative permissions.
Recommendations
For versions prior to 5.15, update to version 5.15 or later to resolve the issue.
As a temporary workaround, consider restricting access to the "/edytor/index.php?id=7,7,0" endpoint to minimize the risk of exploitation.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Megabip