VYPR

Megabip

by Megabip

CVEs (10)

  • CVE-2024-6527CriJul 9, 2024
    Megabip
    Megabip
    risk 0.60cvss epss 0.00

    SQL Injection vulnerability in parameter "w" in file "druk.php" in MegaBIP software allows unauthorized attacker to disclose the contents of the database and obtain administrator's token to modify the content of pages.  This issue affects MegaBIP software versions through 5.13.

  • CVE-2024-6160CriJun 24, 2024
    Megabip
    Megabip
    risk 0.60cvss epss 0.00

    SQL Injection vulnerability in MegaBIP software allows attacker to disclose the contents of the database, obtain session cookies or modify the content of pages. This issue affects MegaBIP software versions through 5.12.1.

  • CVE-2025-3895CriMay 23, 2025
    Megabip
    Megabip
    risk 0.59cvss epss 0.01

    Token used for resetting passwords in MegaBIP software are generated using a small space of random values combined with a queryable value. It allows an unauthenticated attacker who know user login names to brute force these tokens and change account passwords (including these belonging to administrators).  Version 5.20 of MegaBIP fixes this issue.

  • CVE-2024-6662HigJan 10, 2025
    Megabip
    Megabip
    risk 0.57cvss epss 0.00

    Websites managed by MegaBIP in versions below 5.15 are vulnerable to Cross-Site Request Forgery (CSRF) as the form available under "/edytor/index.php?id=7,7,0" lacks protection mechanisms. A user could be tricked into visiting a malicious website, which would send POST request to this endpoint. If the victim is a logged in administrator, this could lead to creation of new accounts and granting of administrative permissions.

  • CVE-2025-3893HigMay 23, 2025
    Megabip
    Megabip
    risk 0.56cvss epss 0.00

    While editing pages managed by MegaBIP a user with high privileges is prompted to give a reasoning for performing this action. Input provided by the the user is not sanitized, leading to SQL Injection vulnerability.  Version 5.20 of MegaBIP fixes this issue.

  • CVE-2024-6880MedJan 10, 2025
    GitHub
    Org
    risk 0.45cvss epss 0.00

    During MegaBIP installation process, a user is encouraged to change a default path to administrative portal, as keeping it secret is listed by the author as one of the protection mechanisms.  Publicly available source code of "/registered.php" discloses that path, allowing an attacker to attempt further attacks.   This issue affects MegaBIP software versions below 5.15

  • CVE-2025-3894MedMay 23, 2025
    Megabip
    Megabip
    risk 0.31cvss epss 0.00

    Text editor embedded into MegaBIP software does not neutralize user input allowing Stored XSS attacks on other users. In order to use the editor high privileges are required.   Version 5.20 of MegaBIP fixes this issue.

  • CVE-2024-1659Jun 12, 2024
    Megabip
    Megabip
    risk 0.00cvss epss 0.00

    Arbitrary File Upload vulnerability in MegaBIP software allows attacker to upload any file to the server (including a PHP code file) without an authentication. This issue affects MegaBIP software versions through 5.10.

  • CVE-2024-1577Jun 12, 2024
    Megabip
    Megabip
    risk 0.00cvss epss 0.02

    Remote Code Execution vulnerability in MegaBIP software allows to execute arbitrary code on the server without requiring authentication by saving crafted by the attacker PHP code to one of the website files. This issue affects MegaBIP software versions through 5.11.2.

  • CVE-2024-1576Jun 12, 2024
    Megabip
    Megabip
    risk 0.00cvss epss 0.00

    SQL Injection vulnerability in MegaBIP software allows attacker to obtain site administrator privileges, including access to the administration panel and the ability to change the administrator password. This issue affects MegaBIP software versions through 5.09.