Critical Software Vulnerabilities Impacting Credit Unions Discovered by LMG Security Researcher: Immediate Action Recommended
LMG Security, a cybersecurity consulting firm, has discovered three new critical software vulnerabilities that pose a significant threat to hundreds of organizations in the United States. Emily Gosney, a cybersecurity consultant at LMG Security, discovered these vulnerabilities in a web application that is primarily used by credit unions to manage content. A malicious user could leverage these vulnerabilities to gain "ultra admin" access to any organization running this application. These vulnerabilities pose a significant threat to hundreds of organizations across the United States.
"Impacted organizations using versions prior to v7.75 of this web application are urged to upgrade, and organizations using any version of this CMS should enable multi-factor authentication immediately," said Emily Gosney, cybersecurity consultant at LMG Security. The identified vulnerabilities have been assigned the following CVE IDs:
CVE-2023-48985: A reflected cross-site scripting vulnerability in the CMS admin portal login page 'login.php' could enable an unauthenticated malicious actor to intercept login credentials for the CMS admin portal. This vulnerability could be chained with CVE-2023-48987 to form a complete "zero to ultra admin" kill chain.
CVE-2023-48986: A reflected cross-site scripting vulnerability in 'users.php' within the CMS admin portal could enable a lower privileged malicious actor to elevate privileges or trick a user of a higher privilege level to perform unintended actions within the admin portal.
CVE-2023-48987: A blind SQL injection vulnerability in 'pages.php' within the CMS admin portal could enable an authenticated malicious actor to gain full read/write access to the backend database and leverage it to obtain the "ultra admin" password, which grants access to any organization running this CMS that does not have multi-factor authentication enabled.
"The 'ultra admin' account is a vendor backdoor account that grants access to every installation of this application globally," Gosney continued. "Just one organization running an outdated version of this application can put all other users at risk, including those who are already running the latest version."
To protect themselves from a data breach, Gosney advises, "Impacted organizations should immediately upgrade to the latest software version and enable multi-factor authentication to prevent malicious actors who possess the 'ultra admin' password from logging into their application portal." This discovery was reported to the application provider with more than the standard 90-day window to fix the issue before this announcement. For the name of the company and full details on the company and software impacted, please visit: https://www.LMGsecurity.com/news/critical-software-vulnerabilities-impacting-credit-unions-discovered-by-lmg-security-researcher-immediate-action-recommended/.
Gosney recommends that organizations stay vigilant about supplier security standards for their current and prospective suppliers. She also recommends organizations conduct penetration testing that includes web application and cloud environments at least annually so experts can identify your security gaps before an attacker uses them to breach your environment. LMG Security's discovery and disclosure of these vulnerabilities reaffirm our commitment to cybersecurity and building a safer, more secure web. LMG Security responsibly disclosed all three vulnerabilities to the software provider, and the software provider may have addressed these vulnerabilities in its application v7.75.