Share: Email | Twitter

ID

VDE-2020-035

Published

2020-09-18 14:30 (CEST)

Last update

2020-09-18 14:30 (CEST)

Vendor(s)

MB connect line GmbH

Product(s)

Article No° Product Name Affected Version(s)
mbCONNECT24 <= 2.6.1
mymbCONNECT24 <= 2.6.1

Summary

Multiples issues exist in mymbCONNECT24 and mbCONNECT24

Vulnerabilities



CVE-2020-24568
6.5
Last Update
Nov. 17, 2022, 10:47 a.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Weakness
Improper Neutralization of Special Elements used in an SQL Command ("SQL Injection") (CWE-89)
Summary
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a blind SQL injection in the lancompenent component, allowing logged-in attackers to discover arbitrary information.
Details
nvd.nist.gov 
CVE-2020-24570
6.5
Last Update
Nov. 17, 2022, 10:47 a.m.
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
Weakness
Cross-Site Request Forgery (CWE-352)
Summary

An issue was discovered in the mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.1. There is a SSRF and CSRF issue, in the com_mb24proxy module, allowing attackers to steal session information from logged in users with a specifically crafted link.

Details
nvd.nist.gov 
CVE-2020-24569
4.3
Last Update
Nov. 17, 2022, 10:47 a.m.
Severity
4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Weakness
Improper Neutralization of Special Elements used in an SQL Command ("SQL Injection") (CWE-89)
Summary
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a blind SQL injection in the knximport component via an advanced attack vector, allowing logged in attackers to discover arbitrary information.
Details
nvd.nist.gov 

Impact

Please consult the above CVEs for details.

Solution

Update mymbCONNECT24 and mbCONNECT24 to version > v2.6.1

Reported by