Summary
Multiples issues exist in mymbCONNECT24 and mbCONNECT24
Impact
Please consult the above CVEs for details.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| Software mbCONNECT24 <=2.6.1 | Software mbCONNECT24 <=2.6.1 | |
| Software mymbCONNECT24 <=2.6.1 | Software mymbCONNECT24 <=2.6.1 |
Vulnerabilities
Expand / Collapse allAn issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.1. There is a SSRF and CSRF issue, in the com_mb24proxy module, allowing attackers to steal session information from logged in users with a specifically crafted link.
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a blind SQL injection in the lancompenent component, allowing logged-in attackers to discover arbitrary information.
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a blind SQL injection in the knximport component via an advanced attack vector, allowing logged in attackers to discover arbitrary information.
Remediation
Update mymbCONNECT24 and mbCONNECT24 to version >v2.6.1
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 18.09.2020 14:30 | Initial revision. |
| 2 | 06.11.2024 12:27 | Fix: added self-reference |
| 3 | 12.02.2025 17:48 | Fix: corrected self-reference, fixed version |
| 4 | 14.05.2025 14:28 | Fix: removed ia, added distribution |