{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6160", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2024-06-19T12:10:07.260Z", "datePublished": "2024-06-24T09:52:50.851Z", "dateUpdated": "2024-06-25T15:30:17.258Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MegaBIP", "repo": "https://megabip.pl/pobierz/1", "vendor": "Jan Syski", "versions": [{"lessThanOrEqual": "5.12.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SQL Injection vulnerability in MegaBIP software allows attacker to disclose the contents of the database, obtain session cookies or modify the content of pages.&nbsp;<p>This issue affects MegaBIP software versions through 5.12.1.</p>"}], "value": "SQL Injection vulnerability in MegaBIP software allows attacker to disclose the contents of the database, obtain session cookies or modify the content of pages.\u00a0This issue affects MegaBIP software versions through 5.12.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "IRRECOVERABLE", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/R:I/V:D/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-06-24T09:52:50.851Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2024/06/CVE-2024-6160/"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/posts/2024/06/CVE-2024-6160/"}, {"tags": ["product"], "url": "https://megabip.pl/"}, {"tags": ["government-resource"], "url": "https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej"}], "source": {"discovery": "UNKNOWN"}, "title": "SQL Injection in MegaBIP", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "jan_syski", "product": "megabip", "cpes": ["cpe:2.3:a:jan_syski:megabip:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.12.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-25T15:28:38.277031Z", "id": "CVE-2024-6160", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-25T15:30:17.258Z"}}]}}

{"descriptions": [{"lang": "en", "value": "SQL Injection vulnerability in MegaBIP software allows attacker to disclose the contents of the database, obtain session cookies or modify the content of pages.\u00a0This issue affects MegaBIP software versions through 5.12.1."}], "id": "CVE-2024-6160", "lastModified": "2024-06-24T12:57:36.513", "metrics": {}, "published": "2024-06-24T10:15:10.277", "references": [{"source": "cvd@cert.pl", "url": "https://cert.pl/en/posts/2024/06/CVE-2024-6160/"}, {"source": "cvd@cert.pl", "url": "https://cert.pl/posts/2024/06/CVE-2024-6160/"}, {"source": "cvd@cert.pl", "url": "https://megabip.pl/"}, {"source": "cvd@cert.pl", "url": "https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "cvd@cert.pl", "type": "Secondary"}]}

{}