LMG Security, a renowned cybersecurity consultancy, has uncovered three critical software vulnerabilities that threaten numerous organizations, particularly credit unions, across the United States. These vulnerabilities, discovered by cybersecurity consultant Emily Gosney, exist within a web application used extensively by credit unions for content management. The identified vulnerabilities, assigned CVE IDs, include a cross-site scripting flaw in the login page, a similar vulnerability in the admin portal, and a blind SQL injection vulnerability within the CMS admin portal. These vulnerabilities could potentially lead to unauthorized access, compromising sensitive data and granting “ultra admin” privileges to malicious actors.
Emily Gosney emphasizes the urgency for affected organizations to upgrade to version 7.75 of the application and enable multi-factor authentication promptly. Failure to do so could result in severe repercussions, as the “ultra admin” account provides unrestricted access to every installation of the application worldwide. Gosney advises organizations to prioritize supplier security standards and conduct regular penetration testing to identify and address security gaps effectively.
LMG Security’s responsible disclosure of these vulnerabilities underscores its commitment to cybersecurity and ensuring a safer online environment. While the vulnerabilities have been reported to the software provider, organizations are urged to take immediate action to mitigate potential risks and safeguard their systems against exploitation.
Reference:
