MISSOULA, Mont., Feb. 13, 2024 /PRNewswire/– In a groundbreaking discovery, LMG Security, a renowned cybersecurity consulting firm, has uncovered three critical software vulnerabilities that threaten the security of multiple organizations in the United States. Emily Gosney, a cybersecurity consultant at LMG Security, detected these vulnerabilities in a web application commonly used by credit unions to manage content. The implications of these vulnerabilities could potentially grant unauthorized users “ultra admin” access to any organization utilizing this application.
The vulnerabilities were immediately communicated to the affected organizations by Emily Gosney, who stated, “Impacted organizations using versions prior to v7.75 of this web application are urged to upgrade, and organizations using any version of this CMS should enable multi-factor authentication immediately.” The specifics of the three vulnerabilities have been assigned the following CVE IDs:
CVE-2023-48985: A reflected cross-site scripting vulnerability in the CMS admin portal login page ‘login.php’ could enable an unauthenticated malicious actor to intercept login credentials for the CMS admin portal. This vulnerability could be combined with CVE-2023-48987 to form a complete “zero to ultra admin” kill chain.
CVE-2023-48986: A reflected cross-site scripting vulnerability in ‘users.php’ within the CMS admin portal could enable a lower privileged malicious actor to escalate privileges or deceive a user of a higher privilege level into carrying out unintended actions within the admin portal.
CVE-2023-48987: A blind SQL injection vulnerability in ‘pages.php’ within the CMS admin portal could enable an authenticated malicious actor to obtain full read/write access to the backend database and utilize it to obtain the “ultra admin” password, which grants access to any organization running this CMS that does not have multi-factor authentication enabled.
Furthermore, Gosney emphasized the significant threat posed by the “ultra admin” account, stating, “Just one organization running an outdated version of this application can put all other users at risk, including those who are already running the latest version.” In order to safeguard against a potential data breach, impacted organizations are strongly advised to upgrade to the latest software version and implement multi-factor authentication as a preventive measure.
Notably, LMG Security’s responsible disclosure of these vulnerabilities to the software provider underscores their commitment to cybersecurity and the promotion of a more secure digital landscape. In alignment with best practices, Gosney also recommended that organizations maintain a high level of vigilance in ensuring supplier security standards and conduct regular penetration testing to identify potential security gaps. The responsible disclosure ensures that affected organizations have adequate time to address existing vulnerabilities before public disclosure.
About LMG Security
LMG Security is a globally recognized leader in cybersecurity consulting, specializing in penetration testing, advisory and compliance services, cybersecurity solutions, and training. With over 15 years of experience, the LMG Security team has been featured on various media platforms and has been widely acknowledged for their expertise in the industry. The firm also publishes cutting-edge research and plays an active role in presenting at leading security conferences. For more information, visit their website at lmgsecurity.com or follow LMG Security on LinkedIn.