CVE-2024-6662 Information

Description

Websites managed by MegaBIP in versions below 5.15 are vulnerable to Cross-Site Request Forgery (CSRF) as the form available under /edytor/index.php?id=770\ lacks protection mechanisms. A user could be tricked into visiting a malicious website which would send POST request to this endpoint. If the victim is a logged in administrator this could lead to creation of new accounts and granting of administrative permissions.

Reference

https://cert.pl/en/posts/2024/09/CVE-2024-6662 https://megabip.pl/ https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej