Multiple vulnerabilities in Cups Easy

Posted date 23/01/2024
Identificador
INCIBE-2024-0034
Importance
4 - High
Affected Resources

Cups Easy (Purchase & Inventory), 1.0 version.

Description

INCIBE has coordinated the publication of 42 vulnerabilities of high severity affecting Cups Easy, a PHP-based purchasing and inventory software, which have been discovered by Rafael Pedrero.

These vulnerabilities have been assigned the following codes, with the same CVSS v3.1 base score, CVSS vector and the CWE vulnerability type of each vulnerability:

  • CVE-2024-23855 to CVE-2024-23896: 8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N | CWE-79.
Solution

There is no reported solution at this time.

Detail

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability through different paths and parameters. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

The CVEs mapped to the affected URLs and parameters are as follows:

  • CVE-2024-23855: /cupseasylive/taxcodemodify.php, multiple parameters.
  • CVE-2024-23856: /cupseasylive/itemlist.php, description parameter.
  • CVE-2024-23857: /cupseasylive/grnlinecreate.php, batchno parameter.
  • CVE-2024-23858: /cupseasylive/stockissuancelinecreate.php, batchno parameter.
  • CVE-2024-23859: /cupseasylive/taxstructurelinecreate.php, flatamount parameter.
  • CVE-2024-23860: /cupseasylive/currencylist.php, description parameter.
  • CVE-2024-23861: /cupseasylive/unitofmeasurementcreate.php, unitofmeasurementid parameter.
  • CVE-2024-23862: /cupseasylive/grndisplay.php, grnno parameter.
  • CVE-2024-23863: /cupseasylive/taxstructuredisplay.php, description parameter.
  • CVE-2024-23864: /cupseasylive/countrylist.php, description parameter.
  • CVE-2024-23865: /cupseasylive/taxstructurelist.php, description parameter.
  • CVE-2024-23866: /cupseasylive/countrycreate.php, countryid parameter.
  • CVE-2024-23867: /cupseasylive/statecreate.php, stateid parameter.
  • CVE-2024-23868: /cupseasylive/grnlist.php, deleted parameter.
  • CVE-2024-23869: /cupseasylive/stockissuanceprint.php, issuanceno parameter.
  • CVE-2024-23870: /cupseasylive/stockissuancelist.php, delete parameter.
  • CVE-2024-23871: /cupseasylive/unitofmeasurementmodify.php, description parameter.
  • CVE-2024-23872: /cupseasylive/locationmodify.php, description parameter.
  • CVE-2024-23873: /cupseasylive/currencymodify.php, currencyid parameter.
  • CVE-2024-23874: /cupseasylive/companymodify.php, address1 parameter.
  • CVE-2024-23875: /cupseasylive/stockissuancedisplay.php, issuanceno parameter.
  • CVE-2024-23876: /cupseasylive/taxstructurecreate.php, description parameter.
  • CVE-2024-23877: /cupseasylive/currencycreate.php, currencyid parameter.
  • CVE-2024-23878: /cupseasylive/grnprint.php, grnno parameter.
  • CVE-2024-23879: /cupseasylive/statemodify.php, description parameter.
  • CVE-2024-23880: /cupseasylive/taxcodelist.php, description parameter.
  • CVE-2024-23881: /cupseasylive/statelist.php, description parameter.
  • CVE-2024-23882: /cupseasylive/taxcodecreate.php, taxcodeid parameter.
  • CVE-2024-23883: /cupseasylive/taxstructuremodify.php, description parameter.
  • CVE-2024-23884: /cupseasylive/grnmodify.php, grndate parameter.
  • CVE-2024-23885: /cupseasylive/countrymodify.php, countryid parameter.
  • CVE-2024-23886: /cupseasylive/itemmodify.php, bincardinfo parameter.
  • CVE-2024-23887: /cupseasylive/grncreate.php, grndate parameter.
  • CVE-2024-23888: /cupseasylive/stocktransactionslist.php, itemidy parameter.
  • CVE-2024-23889: /cupseasylive/itemgroupcreate.php, itemgroupid parameter.
  • CVE-2024-23890: /cupseasylive/itempopup.php, description parameter.
  • CVE-2024-23891: /cupseasylive/itemcreate.php, itemid parameter.
  • CVE-2024-23892: /cupseasylive/costcentercreate.php, costcenterid parameter.
  • CVE-2024-23893: /cupseasylive/costcentermodify.php, costcenterid parameter.
  • CVE-2024-23894: /cupseasylive/stockissuancecreate.php, issuancedate parameter.
  • CVE-2024-23895: /cupseasylive/locationcreate.php, locationid parameter.
  • CVE-2024-23896: /cupseasylive/stock.php, batchno parameter.
References list