PRESS RELEASE
MISSOULA, Mont., Feb. 13, 2024 /PRNewswire/ — LMG Security, an internationally recognized cybersecurity consultancy, has discovered three new critical software vulnerabilities that pose a significant threat to hundreds of organizations across the United States. Emily Gosney, a cybersecurity consultant at LMG Security, discovered these vulnerabilities in a web application used primarily by credit unions to manage content. An attacker could exploit these vulnerabilities to gain “ultra administrator” access to any organization running this application. These vulnerabilities pose a significant threat to hundreds of organizations across the United States.
“Affected organizations using versions prior to v7.75 of this web application are encouraged to upgrade, and organizations using any version of this CMS should immediately enable multi-factor authentication,” said Emily Gosney, consultant of information security at LMG Security. The identified vulnerabilities have been assigned the following CVE IDs:
-
CVE-2023-48985: A reflected cross-site scripting vulnerability in the CMS Administration Portal login page “login.php” could allow an unauthenticated attacker to intercept login credentials for the CMS Administration Portal. This vulnerability could be chained with CVE-2023-48987 to form a complete “zero to ultra administrator” kill chain.
-
CVE-2023-48986: A reflected cross-site scripting vulnerability in “users.php” within the CMS Administration Portal could allow an attacker with lower privileges to elevate privileges or deceive a user with a lower privilege level higher to perform unintentional actions within the portal administrator.
-
CVE-2023-48987: A blind SQL injection vulnerability in “pages.php” within the CMS administration portal could allow an authenticated attacker to gain full read/write access to the backend database and exploit it to gain the “ultra admin” password, which grants access to any organization running this CMS that does not have multi-factor authentication enabled.
“The ‘ultra admin’ account is a backdoor vendor account that grants access to every installation of this application globally,” Gosney continued. “Just one organization running an outdated version of this application can put all other users at risk, including those already using the latest version.”
To protect against a data breach, Gosney advises: “Affected organizations should immediately update to the latest software version and enable multi-factor authentication to prevent malicious actors with the ‘ultra admin’ password from accessing to the application portal.” This finding was reported to the application vendor with more than the standard 90-day timeframe to resolve the issue prior to this announcement. For the company name and complete details about the company and affected software, please visit: https://www.LMGsecurity.com/news/critical-software-vulnerabilities-impacting-credit-unions-discovered-by-lmg-security-researcher-immediate-action-recommended/.
Gosney recommends that organizations remain vigilant about the security standards of current and potential vendors. He also recommends that organizations conduct penetration tests that include web applications and cloud environments at least once a year, so that experts can identify security gaps before an attacker uses them to breach the environment. LMG Security’s discovery and disclosure of these vulnerabilities reaffirms our commitment to cybersecurity and creating a safer web. LMG Security responsibly disclosed all three vulnerabilities to the software vendor, and the software vendor may have addressed these vulnerabilities in its v7.75 application.
ABOUT LMG Security
LMG Security is an internationally recognized leader in cybersecurity consulting, specializing in penetration testing, consulting and compliance services, cybersecurity solutions and training. For the last 15 years, the LMG Security team has been present on the Today the show and team members have been featured in the New York Times, Wall Street Journal, and many other publications. Additionally, the team has published cutting-edge research and written books on the topic ransomware and cyber extortion, network forensic analysisAND data breachesand speaks regularly at Black Hat, RSA, and many other security conferences. For more information visit LMGsecurity.com or follow LMG Security on LinkedIn.