Article No° | Product Name | Affected Version(s) |
---|---|---|
mbCONNECT24 | <= 2.13.3 | |
mymbCONNECT24 | <= 2.13.3 |
Two vulnerabilites have been discovered in mbCONNECT24 and mbCONNECT24 in all versions through 2.13.3.
An Authorization Bypass vulnerability was found in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual version <= 2.13.3. An authenticated remote user with low privileges can change the password of any user in the same account. This allows to take over the admin user and therefore fully compromise the account.
Exposure of Sensitive Information to an unauthorized actor vulnerability in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual in versions <=2.13.3 allow an authorized remote attacker with low privileges to view a limited amount of another accounts contact information.
Please consult the CVE Entries.
Mitigation for CVE-2023-0985:
If you have MFA enabled on the admin user, the password will still be set, but the attacker will be unable to login as the MFA is still in place.
Remediation
Update to latest Version: 2.13.4
CVE-2023-1779 was reported by Helmholz GmbH & Co. KG
CVE-2023-0985 was reported by Hussein Alsharafi
CERT@VDE coordinated with MB Connect Line & Helmholz