Search criteria
1 vulnerability by MinMax Digital Technology
CVE-2024-5514 (GCVE-0-2024-5514)
Vulnerability from cvelistv5 – Published: 2024-05-30 02:14 – Updated: 2024-11-25 03:04
VLAI
Title
MinMax CMS - Hidden Functionality
Summary
MinMax CMS from MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs.
Severity
9.8 (Critical)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-7831-b9a46-2.html | third-party-advisory |
| https://www.chtsecurity.com/news/2dde8d39-59fc-4c… | third-party-advisory |
| https://www.chtsecurity.com/news/6b2393f5-3041-40… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MinMax Digital Technology | MinMax CMS |
Affected:
unknown
|
Date Public
2024-05-30 02:06
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:minmax:minmax:-:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "minmax",
"vendor": "minmax",
"versions": [
{
"status": "affected",
"version": "-"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5514",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-30T14:29:44.054873Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:02:49.067Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:18:05.342Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MinMax CMS",
"vendor": "MinMax Digital Technology",
"versions": [
{
"status": "affected",
"version": "unknown"
}
]
}
],
"datePublic": "2024-05-30T02:06:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "MinMax CMS from\u0026nbsp;MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs."
}
],
"value": "MinMax CMS from\u00a0MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs."
}
],
"impacts": [
{
"capecId": "CAPEC-190",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-190 Reverse Engineer an Executable to Expose Assumed Hidden Functionality"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-912",
"description": "CWE-912: Hidden Functionality",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-25T03:04:51.155Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-7831-b9a46-2.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.chtsecurity.com/news/2dde8d39-59fc-4c09-b4ad-0acf692321c5"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.chtsecurity.com/news/6b2393f5-3041-4011-b2ea-528e312c6b3c"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Please ask the vendor for advice."
}
],
"value": "Please ask the vendor for advice."
}
],
"source": {
"advisory": "TVN-202405006",
"discovery": "EXTERNAL"
},
"title": "MinMax CMS - Hidden Functionality",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2024-5514",
"datePublished": "2024-05-30T02:14:46.713Z",
"dateReserved": "2024-05-30T01:40:43.656Z",
"dateUpdated": "2024-11-25T03:04:51.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}