Search criteria
6 vulnerabilities found for smodbip by smod
FKIE_CVE-2023-5378
Vulnerability from fkie_nvd - Published: 2024-01-29 12:15 - Updated: 2024-11-21 08:41
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Improper Input Validation vulnerability in MegaBIP and already unsupported SmodBIP software allows for Stored XSS.This issue affects SmodBIP in all versions and MegaBIP in versions up to 4.36.2. MegaBIP 5.08 was tested and is not vulnerable. A precise range of vulnerable versions remains unknown.
References
| URL | Tags | ||
|---|---|---|---|
| cvd@cert.pl | https://cert.pl/en/posts/2023/12/CVE-2023-5378 | Third Party Advisory | |
| cvd@cert.pl | https://cert.pl/posts/2023/12/CVE-2023-5378 | Third Party Advisory | |
| cvd@cert.pl | https://megabip.pl/ | Product | |
| cvd@cert.pl | https://smod.pl/ | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cert.pl/en/posts/2023/12/CVE-2023-5378 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cert.pl/posts/2023/12/CVE-2023-5378 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://megabip.pl/ | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://smod.pl/ | Product |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:megabip:megabip:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A61E360F-A37C-4E94-AA77-340F36667E38",
"versionEndIncluding": "4.36.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:smod:smodbip:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E866378A-BD50-4001-9F9F-190B09F9DEAE",
"versionEndIncluding": "2.21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Input Validation vulnerability in MegaBIP and already unsupported SmodBIP software allows for Stored XSS.This issue affects SmodBIP in all versions and MegaBIP in versions up to 4.36.2.\u00a0MegaBIP 5.08 was tested and is not vulnerable. A precise range of vulnerable versions remains unknown."
},
{
"lang": "es",
"value": "Vulnerabilidad de validaci\u00f3n de entrada incorrecta en MegaBIP y el software SmodBIP que ya no es compatible permite almacenar XSS. Este problema afecta a SmodBIP en todas las versiones y a MegaBIP en versiones hasta 4.36.2 (las versiones m\u00e1s recientes no se probaron; el proveedor no ha confirmado que solucione la vulnerabilidad)."
}
],
"id": "CVE-2023-5378",
"lastModified": "2024-11-21T08:41:38.930",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "cvd@cert.pl",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-29T12:15:07.860",
"references": [
{
"source": "cvd@cert.pl",
"tags": [
"Third Party Advisory"
],
"url": "https://cert.pl/en/posts/2023/12/CVE-2023-5378"
},
{
"source": "cvd@cert.pl",
"tags": [
"Third Party Advisory"
],
"url": "https://cert.pl/posts/2023/12/CVE-2023-5378"
},
{
"source": "cvd@cert.pl",
"tags": [
"Product"
],
"url": "https://megabip.pl/"
},
{
"source": "cvd@cert.pl",
"tags": [
"Product"
],
"url": "https://smod.pl/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://cert.pl/en/posts/2023/12/CVE-2023-5378"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://cert.pl/posts/2023/12/CVE-2023-5378"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://megabip.pl/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://smod.pl/"
}
],
"sourceIdentifier": "cvd@cert.pl",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cvd@cert.pl",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-4837
Vulnerability from fkie_nvd - Published: 2023-10-10 10:15 - Updated: 2024-11-21 08:36
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
SmodBIP is vulnerable to Cross-Site Request Forgery, that could be used to induce logged in users to perform unintended actions, including creation of additional accounts with administrative privileges.
This issue affects all versions of SmodBIP. SmodBIP is no longer maintained and the vulnerability will not be fixed.
References
| URL | Tags | ||
|---|---|---|---|
| cvd@cert.pl | https://cert.pl/en/posts/2023/10/CVE-2023-4837/ | Third Party Advisory | |
| cvd@cert.pl | https://cert.pl/posts/2023/10/CVE-2023-4837/ | Third Party Advisory | |
| cvd@cert.pl | https://smod.pl/ | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cert.pl/en/posts/2023/10/CVE-2023-4837/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cert.pl/posts/2023/10/CVE-2023-4837/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://smod.pl/ | Product |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:smod:smodbip:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F9B45085-41FA-4406-A4CE-1010C45DD858",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cvd@cert.pl",
"tags": [
"unsupported-when-assigned"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SmodBIP is vulnerable to Cross-Site Request Forgery, that could be used to induce logged in users to perform unintended actions, including creation of additional accounts with administrative privileges. \nThis issue affects all versions of SmodBIP. SmodBIP is no longer maintained and the vulnerability will not be fixed.\n\n"
},
{
"lang": "es",
"value": "** NO SOPORTADO CUANDO EST\u00c1 ASIGNADO ** SmodBIP es vulnerable a Cross-Site Request Forgery, que podr\u00eda usarse para inducir a los usuarios registrados a realizar acciones no deseadas, incluida la creaci\u00f3n de cuentas adicionales con privilegios administrativos. Este problema afecta a todas las versiones de SmodBIP. SmodBIP ya no se mantiene y la vulnerabilidad no se solucionar\u00e1."
}
],
"id": "CVE-2023-4837",
"lastModified": "2024-11-21T08:36:04.613",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "cvd@cert.pl",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-10T10:15:10.100",
"references": [
{
"source": "cvd@cert.pl",
"tags": [
"Third Party Advisory"
],
"url": "https://cert.pl/en/posts/2023/10/CVE-2023-4837/"
},
{
"source": "cvd@cert.pl",
"tags": [
"Third Party Advisory"
],
"url": "https://cert.pl/posts/2023/10/CVE-2023-4837/"
},
{
"source": "cvd@cert.pl",
"tags": [
"Product"
],
"url": "https://smod.pl/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://cert.pl/en/posts/2023/10/CVE-2023-4837/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://cert.pl/posts/2023/10/CVE-2023-4837/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://smod.pl/"
}
],
"sourceIdentifier": "cvd@cert.pl",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "cvd@cert.pl",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-5378 (GCVE-0-2023-5378)
Vulnerability from cvelistv5 – Published: 2024-01-29 11:11 – Updated: 2025-06-17 21:29
VLAI?
Title
Stored XSS in SmodBIP and MegaBIP
Summary
Improper Input Validation vulnerability in MegaBIP and already unsupported SmodBIP software allows for Stored XSS.This issue affects SmodBIP in all versions and MegaBIP in versions up to 4.36.2. MegaBIP 5.08 was tested and is not vulnerable. A precise range of vulnerable versions remains unknown.
Severity ?
8.8 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://megabip.pl/"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://smod.pl/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/en/posts/2023/12/CVE-2023-5378"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/posts/2023/12/CVE-2023-5378"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-31T18:06:53.101425Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:29:17.036Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "MegaBIP",
"repo": "https://megabip.pl/pobierz/1",
"vendor": "Jan Syski",
"versions": [
{
"lessThanOrEqual": "4.36.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "5.08",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "SmodBIP",
"repo": "https://smod.pl/pliki/smodbip221.zip",
"vendor": "Jan Syski",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-01-12T09:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in MegaBIP and already unsupported SmodBIP software allows for Stored XSS.\u003cp\u003eThis issue affects SmodBIP in all versions and MegaBIP in versions up to 4.36.2.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMegaBIP 5.08 was tested and is not vulnerable. A precise range of vulnerable versions remains unknown.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in MegaBIP and already unsupported SmodBIP software allows for Stored XSS.This issue affects SmodBIP in all versions and MegaBIP in versions up to 4.36.2.\u00a0MegaBIP 5.08 was tested and is not vulnerable. A precise range of vulnerable versions remains unknown."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T15:36:09.436Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"product"
],
"url": "https://megabip.pl/"
},
{
"tags": [
"product"
],
"url": "https://smod.pl/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2023/12/CVE-2023-5378"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2023/12/CVE-2023-5378"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in SmodBIP and MegaBIP",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2023-5378",
"datePublished": "2024-01-29T11:11:11.608Z",
"dateReserved": "2023-10-04T10:45:50.683Z",
"dateUpdated": "2025-06-17T21:29:17.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4837 (GCVE-0-2023-4837)
Vulnerability from cvelistv5 – Published: 2023-10-10 09:20 – Updated: 2024-09-18 19:02 Unsupported When Assigned
VLAI?
Title
Cross-site request forgery (CSRF) in SmodBIP
Summary
SmodBIP is vulnerable to Cross-Site Request Forgery, that could be used to induce logged in users to perform unintended actions, including creation of additional accounts with administrative privileges.
This issue affects all versions of SmodBIP. SmodBIP is no longer maintained and the vulnerability will not be fixed.
Severity ?
8.8 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Krzysztof Zając (CERT.PL)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:38:00.859Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/posts/2023/10/CVE-2023-4837/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/en/posts/2023/10/CVE-2023-4837/"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://smod.pl/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4837",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T19:01:00.494841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T19:02:34.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "SmodBIP",
"repo": "https://smod.pl/pliki/smodbip221.zip",
"vendor": "Jan Syski",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Krzysztof Zaj\u0105c (CERT.PL)"
}
],
"datePublic": "2023-10-10T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eSmodBIP is vulnerable to Cross-Site Request Forgery, that could be used to induce logged in users to perform unintended actions, including creation of additional accounts with administrative privileges. \u003cbr\u003e\u003ccode\u003eThis issue affects all versions of SmodBIP. SmodBIP is no longer maintained and the vulnerability will not be fixed.\u003c/code\u003e\u003c/div\u003e"
}
],
"value": "SmodBIP is vulnerable to Cross-Site Request Forgery, that could be used to induce logged in users to perform unintended actions, including creation of additional accounts with administrative privileges. \nThis issue affects all versions of SmodBIP. SmodBIP is no longer maintained and the vulnerability will not be fixed.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-10T09:20:53.558Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2023/10/CVE-2023-4837/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2023/10/CVE-2023-4837/"
},
{
"tags": [
"product"
],
"url": "https://smod.pl/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned"
],
"title": "Cross-site request forgery (CSRF) in SmodBIP",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2023-4837",
"datePublished": "2023-10-10T09:20:53.558Z",
"dateReserved": "2023-09-08T11:43:25.153Z",
"dateUpdated": "2024-09-18T19:02:34.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5378 (GCVE-0-2023-5378)
Vulnerability from nvd – Published: 2024-01-29 11:11 – Updated: 2025-06-17 21:29
VLAI?
Title
Stored XSS in SmodBIP and MegaBIP
Summary
Improper Input Validation vulnerability in MegaBIP and already unsupported SmodBIP software allows for Stored XSS.This issue affects SmodBIP in all versions and MegaBIP in versions up to 4.36.2. MegaBIP 5.08 was tested and is not vulnerable. A precise range of vulnerable versions remains unknown.
Severity ?
8.8 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://megabip.pl/"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://smod.pl/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/en/posts/2023/12/CVE-2023-5378"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/posts/2023/12/CVE-2023-5378"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-31T18:06:53.101425Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:29:17.036Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "MegaBIP",
"repo": "https://megabip.pl/pobierz/1",
"vendor": "Jan Syski",
"versions": [
{
"lessThanOrEqual": "4.36.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "5.08",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "SmodBIP",
"repo": "https://smod.pl/pliki/smodbip221.zip",
"vendor": "Jan Syski",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-01-12T09:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in MegaBIP and already unsupported SmodBIP software allows for Stored XSS.\u003cp\u003eThis issue affects SmodBIP in all versions and MegaBIP in versions up to 4.36.2.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMegaBIP 5.08 was tested and is not vulnerable. A precise range of vulnerable versions remains unknown.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in MegaBIP and already unsupported SmodBIP software allows for Stored XSS.This issue affects SmodBIP in all versions and MegaBIP in versions up to 4.36.2.\u00a0MegaBIP 5.08 was tested and is not vulnerable. A precise range of vulnerable versions remains unknown."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T15:36:09.436Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"product"
],
"url": "https://megabip.pl/"
},
{
"tags": [
"product"
],
"url": "https://smod.pl/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2023/12/CVE-2023-5378"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2023/12/CVE-2023-5378"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in SmodBIP and MegaBIP",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2023-5378",
"datePublished": "2024-01-29T11:11:11.608Z",
"dateReserved": "2023-10-04T10:45:50.683Z",
"dateUpdated": "2025-06-17T21:29:17.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4837 (GCVE-0-2023-4837)
Vulnerability from nvd – Published: 2023-10-10 09:20 – Updated: 2024-09-18 19:02 Unsupported When Assigned
VLAI?
Title
Cross-site request forgery (CSRF) in SmodBIP
Summary
SmodBIP is vulnerable to Cross-Site Request Forgery, that could be used to induce logged in users to perform unintended actions, including creation of additional accounts with administrative privileges.
This issue affects all versions of SmodBIP. SmodBIP is no longer maintained and the vulnerability will not be fixed.
Severity ?
8.8 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Krzysztof Zając (CERT.PL)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:38:00.859Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/posts/2023/10/CVE-2023-4837/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/en/posts/2023/10/CVE-2023-4837/"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://smod.pl/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4837",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T19:01:00.494841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T19:02:34.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "SmodBIP",
"repo": "https://smod.pl/pliki/smodbip221.zip",
"vendor": "Jan Syski",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Krzysztof Zaj\u0105c (CERT.PL)"
}
],
"datePublic": "2023-10-10T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eSmodBIP is vulnerable to Cross-Site Request Forgery, that could be used to induce logged in users to perform unintended actions, including creation of additional accounts with administrative privileges. \u003cbr\u003e\u003ccode\u003eThis issue affects all versions of SmodBIP. SmodBIP is no longer maintained and the vulnerability will not be fixed.\u003c/code\u003e\u003c/div\u003e"
}
],
"value": "SmodBIP is vulnerable to Cross-Site Request Forgery, that could be used to induce logged in users to perform unintended actions, including creation of additional accounts with administrative privileges. \nThis issue affects all versions of SmodBIP. SmodBIP is no longer maintained and the vulnerability will not be fixed.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-10T09:20:53.558Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2023/10/CVE-2023-4837/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2023/10/CVE-2023-4837/"
},
{
"tags": [
"product"
],
"url": "https://smod.pl/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned"
],
"title": "Cross-site request forgery (CSRF) in SmodBIP",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2023-4837",
"datePublished": "2023-10-10T09:20:53.558Z",
"dateReserved": "2023-09-08T11:43:25.153Z",
"dateUpdated": "2024-09-18T19:02:34.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}