Multiple vulnerabilities in Janobe products

Posted date 06/08/2024
Identificador
INCIBE-2024-0388
Importance
5 - Critical
Affected Resources
  • PayPal/Credit Card/Debit Card Payment 1.0;
  • School Attendance Monitoring System 1.0 (discontinued product);
  • School Event Management System 1.0.
Description

INCIBE has coordinated the publication of 40 vulnerabilities affecting Janobe, a payment system that integrates several payment methods, such as PayPal, Credit Card, Debit Card Payment 1.0, School Attendance Monitoring System 1.0 and School Event Management System 1.0. These vulnerabilities have been discovered by Rafael Pedrero.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2024-33957 a CVE-2024-33974: 9.8 | CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-89.
  • CVE-2024-33975 a CVE-2024-33995: 7.1 | CVSS:3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L | CWE-79.
Solution

There is no reported solution at this time.

Detail
  • CVE-2024-33957 and CVE-2024-33958: SQL injection vulnerability in E-Negosyo System affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted query to the server and retrieve all the information stored in it through the following parameters:
    • CVE-2024-33957: 'id' in '/admin/orders/controller.php'.
    •  CVE-2024-33958: 'phonenumber' in '/passwordrecover.php'.
  • CVE-2024-3359 to CVE-2024-3366: SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted query to the server and retrieve all the information stored in it through the following parameters:
    • CVE-2024-33959: 'categ' in '/admin/mod_reports/printreport.php'.
    • CVE-2024-33960: 'end' in '/admin/mod_reports/printreport.php'.
    • CVE-2024-33961: 'code' in '/admin/mod_reservation/controller.php'.
    • CVE-2024-33962: 'code' in '/admin/mod_reservation/index.php'.
    • CVE-2024-33963: 'id' in '/admin/mod_room/index.php'.
    • CVE-2024-33964: 'id' in '/admin/mod_users/index.php'.
    • CVE-2024-33965: 'view' in '/tubigangarden/admin/mod_accomodation/index.php'.
    • CVE-2024-33966: 'xtsearch' in '/admin/mod_reports/index.php'.
  • CVE-2024-33967 to CVE-2024-33974: SQL injection vulnerability in School Attendance Monitoring System and School Event Management System 1.0 affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted query to the server and retrieve all the information stored in it through the following parameters:
    • CVE-2024-33967: 'Attendance' and 'YearLevel' in '/AttendanceMonitoring/report/attendance_print.php'.
    • CVE-2024-33968: 'Attendance' and 'YearLevel' in '/AttendanceMonitoring/report/index.php'.
    • CVE-2024-33969: 'id' in '/AttendanceMonitoring/department/index.php'.
    • CVE-2024-33970: 'studid' in '/candidate/controller.php'.
    • CVE-2024-33971: 'username' in '/login.php'.
    • CVE-2024-33972: 'events' in '/report/event_print.php'.
    • CVE-2024-33973: 'Attendance' and 'YearLevel' in '/report/attendance_print.php'.
    • CVE-2024-33974: 'Users in '/report/printlogs.php'.
  • CVE-2024-33975 and CVE-2024-33976: Cross-Site Scripting (XSS) vulnerability in E-Negosyo System affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted JavaScript payload to an authenticated user and partially take over their browser session via the following parameters:
    • CVE-2024-33975: 'view' in '/admin/products/index.php'.
    • CVE-2024-33976: 'id' in '/admin/user/index.php'.
  • CVE-2024-33977 and CVE-2024-33978: Cross-Site Scripting (XSS) vulnerability in E-Negosyo System affecting version 1.0. An attacker could create a specially crafted URL and send it to a victim to obtain their session cookie details via the following parameters:
    • CVE-2024-33977: 'view' in /admin/orders/index.php'.
    • CVE-2024-33978: 'category' in /index.php'.
  • CVE-2024-33979 to CVE-2024-33981: Cross-Site Scripting (XSS) vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0. An attacker could create a specially crafted URL and send it to a victim to obtain details of their session cookie via the following parameters:
    • CVE-2024-33979: 'q', 'arrival', 'departure' and 'accomodation' in '/index.php'. 
    • CVE-2024-33980: 'start' in '/admin/mod_reports/printreport.php'.
    • CVE-2024-33981. 'start in '/admin/mod_reports/index.php'.
  • CVE-2024-33982 to CVE-2024-33988: Cross-Site Scripting (XSS) vulnerability in School Attendance Monitoring System and School Event Management System affecting version 1.0. An attacker could create a specially crafted URL and send it to a victim to obtain details of their session cookie via the following parameters:
    • CVE-2024-33982: 'StudentID' in '/AttendanceMonitoring/student/controller.php'.
    • CVE-2024-33983: 'Attendance', 'attenddate' and 'YearLevel' in '/AttendanceMonitoring/report/attendance_print.php'.
    • CVE-2024-33984: 'Attendance', 'attenddate' and 'YearLevel' in '/AttendanceMonitoring/report/index.php'.
    • CVE-2024-33985: 'View' in '/course/index.php'.
    • CVE-2024-33986: 'View' in '/department/index.php'.
    • CVE-2024-33987: 'Attendance', 'attenddate', 'YearLevel', 'eventdate', 'events', 'Users' and 'YearLevel' in '/report/index.php'.
    • CVE-2024-33988: 'Attendance', 'attenddate' and 'YearLevel' in '/report/attendance_print.php'.
  • CVE-2024-33989 and CVE-2024-33990: Cross-Site Scripting (XSS) vulnerability in School Event Management System affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted javascript payload to an authenticated user and partially take over their browser session via the following parameters:
    • CVE-2024-33989: 'eventdate' and 'events' in 'port/event_print.php'.
    • CVE-2024-33990: 'id' and 'view' in '/user/index.php'.
  • CVE-2024-33991 and CVE-2024-33992: Cross-Site Scripting (XSS) vulnerability in School Event Management System affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted query to the server and retrieve all the information stored in it through the parameters:
    • CVE-2024-33991: 'view' in '/eventwinner/index.php'.
    • CVE-2024-33992: 'view' in '/student/index.php'.
  • CVE-2024-33993 and CVE-2024-33994: Cross-Site Scripting (XSS) vulnerability in School Event Management System affecting version 1.0. An attacker could create a specially crafted URL and send it to a victim to obtain their session details via parameters:
    • CVE-2024-33993 'view' in /candidate/index.php'.
    • CVE-2024-33994 'view' in '/event/index.php'.