SB2021030313 - Multiple vulnerabilities in MultMB connect line mbCONNECT24 and mymbCONNECT24
Published: March 3, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Use of hard-coded credentials (CVE-ID: CVE-2020-35567)
The vulnerability allows a local user to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in application code. A local user can access the affected system using the hard-coded credentials.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2020-35565)
The vulnerability allows a remote attacker to gain access to sensitive information on the system.
The vulnerability exists due to the brute force detection is disabled by default on the login page. A remote attacker can launch a brute-force authentication attack and gain access to sensitive information.
3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2020-35561)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in the HA module. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.