SB2019050921 - Multiple vulnerabilities in Metinfo

Security Bulletin ID SB2019050921

CSH Severity

High

Patch available

NO

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 vulnerabilities.

1) Cross-site request forgery (CVE-ID: CVE-2017-12789)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The impact is: Information Disclosure (remote). The component is: admin/interface/online/delete.php. The attack vector is: The administrator clicks on the malicious link in the login state.

2) Cross-site request forgery (CVE-ID: CVE-2017-12790)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The impact is: Information Disclosure (remote). The component is: admin/index.php. The attack vector is: The administrator clicks on the malicious link in the login state.

3) Cross-site scripting (CVE-ID: CVE-2017-12788)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows remote attackers to inject arbitrary web script or HTML via the (1) class1 parameter or the (2) anyid parameter.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

https://github.com/lemon666/vuln/blob/master/MetInfo5.3.md