Multiple vulnerabilities in MESbook
Posted date 01/07/2024
Importance
5 - Critical
Affected Resources
- MESbook, version 20221021.03.
Description
INCIBE has coordinated the publication of 4 vulnerabilities: 2 of critical severity and 2 of high severity, affecting MESbook, version 20221021.03, a real-time factory management system, which have been discovered by David Utón Amaya.
These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- CVE-2024-6424: 9.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N | CWE-918.
- CVE-2024-6425: 9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | CWE-684.
- CVE-2024-6426: 8.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N | CWE-200.
- CVE-2024-6427: 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CWE-400.
Solution
The MESbook security team is working on a fix for the reported vulnerabilities.
Detail
- CVE-2024-6424: external server-side request vulnerability, which could allow a remote, unauthenticated attacker to exploit the endpoint "/api/Proxy/Post?userName=&password=&uri=<FILE|INTERNAL URL|IP/HOST" or "/api/Proxy/Get?userName=&password=&uri=<ARCHIVO|URL INTERNA|IP/HOST" to read the source code of web files, read internal files or access network resources.
- CVE-2024-6425: an unauthenticated remote attacker can register user accounts without being authenticated from the route "/account/Register/" and in the parameters "UserName=<RANDOMUSER>&Password=<PASSWORD>&ConfirmPassword=<PASSWORD-REPEAT>".
- CVE-2024-6426: information exposure vulnerability, the exploitation of which could allow a local attacker, with user privileges, to access different resources by changing the API value of the application.
- CVE-2024-6427: an unauthenticated remote attacker can use the "message" parameter to inject a payload with dangerous JavaScript code, causing the application to loop requests on itself, which could lead to resource consumption and disable the application.
References list
