Vulnerability-Lookup

CVE-2024-5514 (GCVE-0-2024-5514)

Vulnerability from cvelistv5 – Published: 2024-05-30 02:14 – Updated: 2024-11-25 03:04

Title

MinMax CMS - Hidden Functionality

Summary

MinMax CMS from MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-798 - Use of Hard-coded Credentials
CWE-912 - Hidden Functionality

Assigner

twcert

References

4 references

URL	Tags
https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html	third-party-advisory
https://www.twcert.org.tw/en/cp-139-7831-b9a46-2.html	third-party-advisory
https://www.chtsecurity.com/news/2dde8d39-59fc-4c…	third-party-advisory
https://www.chtsecurity.com/news/6b2393f5-3041-40…	third-party-advisory

Impacted products

1 product

Vendor	Product	Version
MinMax Digital Technology	MinMax CMS	Affected: unknown

Date Public

2024-05-30 02:06

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:minmax:minmax:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "affected",
            "product": "minmax",
            "vendor": "minmax",
            "versions": [
              {
                "status": "affected",
                "version": "-"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-5514",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-30T14:29:44.054873Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T18:02:49.067Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:18:05.342Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MinMax CMS",
          "vendor": "MinMax Digital Technology",
          "versions": [
            {
              "status": "affected",
              "version": "unknown"
            }
          ]
        }
      ],
      "datePublic": "2024-05-30T02:06:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "MinMax CMS from\u0026nbsp;MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs."
            }
          ],
          "value": "MinMax CMS from\u00a0MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-190",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-190 Reverse Engineer an Executable to Expose Assumed Hidden Functionality"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "CWE-798 Use of Hard-coded Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-912",
              "description": "CWE-912: Hidden Functionality",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-25T03:04:51.155Z",
        "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "shortName": "twcert"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.twcert.org.tw/en/cp-139-7831-b9a46-2.html"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.chtsecurity.com/news/2dde8d39-59fc-4c09-b4ad-0acf692321c5"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.chtsecurity.com/news/6b2393f5-3041-4011-b2ea-528e312c6b3c"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Please ask the vendor for advice."
            }
          ],
          "value": "Please ask the vendor for advice."
        }
      ],
      "source": {
        "advisory": "TVN-202405006",
        "discovery": "EXTERNAL"
      },
      "title": "MinMax CMS - Hidden Functionality",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
    "assignerShortName": "twcert",
    "cveId": "CVE-2024-5514",
    "datePublished": "2024-05-30T02:14:46.713Z",
    "dateReserved": "2024-05-30T01:40:43.656Z",
    "dateUpdated": "2024-11-25T03:04:51.155Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-5514",
      "date": "2026-05-27",
      "epss": "0.00233",
      "percentile": "0.46075"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"MinMax CMS from\\u00a0MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs.\"}, {\"lang\": \"es\", \"value\": \"MinMax CMS de MinMax Digital Technology contiene una cuenta de administrador oculta con una contrase\\u00f1a fija que no se puede eliminar ni deshabilitar desde la interfaz de administraci\\u00f3n. Los atacantes remotos que obtienen esta cuenta pueden eludir las restricciones de control de acceso a IP e iniciar sesi\\u00f3n en el sistema backend sin ser registrados en los registros del sistema.\"}]",
      "id": "CVE-2024-5514",
      "lastModified": "2024-11-25T03:15:12.733",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"twcert@cert.org.tw\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2024-05-30T03:15:08.467",
      "references": "[{\"url\": \"https://www.chtsecurity.com/news/2dde8d39-59fc-4c09-b4ad-0acf692321c5\", \"source\": \"twcert@cert.org.tw\"}, {\"url\": \"https://www.chtsecurity.com/news/6b2393f5-3041-4011-b2ea-528e312c6b3c\", \"source\": \"twcert@cert.org.tw\"}, {\"url\": \"https://www.twcert.org.tw/en/cp-139-7831-b9a46-2.html\", \"source\": \"twcert@cert.org.tw\"}, {\"url\": \"https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html\", \"source\": \"twcert@cert.org.tw\"}, {\"url\": \"https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "twcert@cert.org.tw",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"twcert@cert.org.tw\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-798\"}, {\"lang\": \"en\", \"value\": \"CWE-912\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-5514\",\"sourceIdentifier\":\"twcert@cert.org.tw\",\"published\":\"2024-05-30T03:15:08.467\",\"lastModified\":\"2024-11-25T03:15:12.733\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"MinMax CMS from\u00a0MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs.\"},{\"lang\":\"es\",\"value\":\"MinMax CMS de MinMax Digital Technology contiene una cuenta de administrador oculta con una contrase\u00f1a fija que no se puede eliminar ni deshabilitar desde la interfaz de administraci\u00f3n. Los atacantes remotos que obtienen esta cuenta pueden eludir las restricciones de control de acceso a IP e iniciar sesi\u00f3n en el sistema backend sin ser registrados en los registros del sistema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"twcert@cert.org.tw\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"twcert@cert.org.tw\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"},{\"lang\":\"en\",\"value\":\"CWE-912\"}]}],\"references\":[{\"url\":\"https://www.chtsecurity.com/news/2dde8d39-59fc-4c09-b4ad-0acf692321c5\",\"source\":\"twcert@cert.org.tw\"},{\"url\":\"https://www.chtsecurity.com/news/6b2393f5-3041-4011-b2ea-528e312c6b3c\",\"source\":\"twcert@cert.org.tw\"},{\"url\":\"https://www.twcert.org.tw/en/cp-139-7831-b9a46-2.html\",\"source\":\"twcert@cert.org.tw\"},{\"url\":\"https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html\",\"source\":\"twcert@cert.org.tw\"},{\"url\":\"https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html\", \"tags\": [\"third-party-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T21:18:05.342Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-5514\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-30T14:29:44.054873Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:minmax:minmax:-:*:*:*:*:*:*:*\"], \"vendor\": \"minmax\", \"product\": \"minmax\", \"versions\": [{\"status\": \"affected\", \"version\": \"-\"}], \"defaultStatus\": \"affected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-30T14:30:19.535Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"MinMax CMS - Hidden Functionality\", \"source\": {\"advisory\": \"TVN-202405006\", \"discovery\": \"EXTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-190\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-190 Reverse Engineer an Executable to Expose Assumed Hidden Functionality\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"MinMax Digital Technology\", \"product\": \"MinMax CMS\", \"versions\": [{\"status\": \"affected\", \"version\": \"unknown\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Please ask the vendor for advice.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Please ask the vendor for advice.\", \"base64\": false}]}], \"datePublic\": \"2024-05-30T02:06:00.000Z\", \"references\": [{\"url\": \"https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://www.twcert.org.tw/en/cp-139-7831-b9a46-2.html\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://www.chtsecurity.com/news/2dde8d39-59fc-4c09-b4ad-0acf692321c5\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://www.chtsecurity.com/news/6b2393f5-3041-4011-b2ea-528e312c6b3c\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"MinMax CMS from\\u00a0MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"MinMax CMS from\u0026nbsp;MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-798\", \"description\": \"CWE-798 Use of Hard-coded Credentials\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-912\", \"description\": \"CWE-912: Hidden Functionality\"}]}], \"providerMetadata\": {\"orgId\": \"cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e\", \"shortName\": \"twcert\", \"dateUpdated\": \"2024-11-25T03:04:51.155Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-5514\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-25T03:04:51.155Z\", \"dateReserved\": \"2024-05-30T01:40:43.656Z\", \"assignerOrgId\": \"cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e\", \"datePublished\": \"2024-05-30T02:14:46.713Z\", \"assignerShortName\": \"twcert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

BDU:2024-04399

Vulnerability from fstec - Published: 30.05.2024

Title

Уязвимость CMS-системы MinMax CMS, связанная с использованием жестко закодированных учетных данных, позволяющая нарушителю получить доступ к учетной записи и осуществить вход в систему

Description

Уязвимость CMS-системы MinMax CMS связана с использованием жестко закодированных учетных данных. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить доступ к учетной записи и осуществить вход в систему

Severity


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vendor

Minmax Digital Technology Co., Ltd.

Software Name

MinMax CMS

Software Version

- (MinMax CMS)

Possible Mitigations

Компенсирующие меры: - использование межсетевого экрана уровня приложений (WAF) для фильтрации пользовательского ввода; - использование виртуальных частных сетей для организации удаленного доступа (VPN).

Reference

https://vuldb.com/?id.266565 https://www.twcert.org.tw/en/cp-139-7831-b9a46-2.html https://linuxpatch.com/cve/CVE-2024-5514

CWE

CWE-798, CWE-912

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Minmax Digital Technology Co., Ltd.",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "- (MinMax CMS)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043c\u0435\u0436\u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u044d\u043a\u0440\u0430\u043d\u0430 \u0443\u0440\u043e\u0432\u043d\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 (WAF) \u0434\u043b\u044f \u0444\u0438\u043b\u044c\u0442\u0440\u0430\u0446\u0438\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u043e\u0433\u043e \u0432\u0432\u043e\u0434\u0430;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u044b\u0445 \u0447\u0430\u0441\u0442\u043d\u044b\u0445 \u0441\u0435\u0442\u0435\u0439 \u0434\u043b\u044f \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u0430\u0446\u0438\u0438 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0430 (VPN).",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "30.05.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "07.06.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "07.06.2024",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-04399",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2024-5514",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0443\u0435\u0442",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "MinMax CMS",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CMS-\u0441\u0438\u0441\u0442\u0435\u043c\u044b MinMax CMS, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0436\u0435\u0441\u0442\u043a\u043e \u0437\u0430\u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u0443\u0447\u0435\u0442\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0443\u0447\u0435\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u0438 \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0438\u0442\u044c \u0432\u0445\u043e\u0434 \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0443",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0416\u0435\u0441\u0442\u043a\u043e\u0435 \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-798), \u0421\u043a\u0440\u044b\u0442\u044b\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u0438 (CWE-912)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CMS-\u0441\u0438\u0441\u0442\u0435\u043c\u044b MinMax CMS \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0436\u0435\u0441\u0442\u043a\u043e \u0437\u0430\u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u0443\u0447\u0435\u0442\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0443\u0447\u0435\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u0438 \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0438\u0442\u044c \u0432\u0445\u043e\u0434 \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0443",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438, \u0417\u043b\u043e\u0443\u043f\u043e\u0442\u0440\u0435\u0431\u043b\u0435\u043d\u0438\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b\u043e\u043c",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://vuldb.com/?id.266565\nhttps://www.twcert.org.tw/en/cp-139-7831-b9a46-2.html\nhttps://linuxpatch.com/cve/CVE-2024-5514",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u0430\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-798, CWE-912",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,8)"
}

FKIE_CVE-2024-5514

Vulnerability from fkie_nvd - Published: 2024-05-30 03:15 - Updated: 2026-04-15 00:35

Severity

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	twcert@cert.org.tw	https://www.chtsecurity.com/news/2dde8d39-59fc-4c09-b4ad-0acf692321c5
	twcert@cert.org.tw	https://www.chtsecurity.com/news/6b2393f5-3041-4011-b2ea-528e312c6b3c
	twcert@cert.org.tw	https://www.twcert.org.tw/en/cp-139-7831-b9a46-2.html
	twcert@cert.org.tw	https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html
	af854a3a-2127-422b-91ae-364da2661108	https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "MinMax CMS from\u00a0MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs."
    },
    {
      "lang": "es",
      "value": "MinMax CMS de MinMax Digital Technology contiene una cuenta de administrador oculta con una contrase\u00f1a fija que no se puede eliminar ni deshabilitar desde la interfaz de administraci\u00f3n. Los atacantes remotos que obtienen esta cuenta pueden eludir las restricciones de control de acceso a IP e iniciar sesi\u00f3n en el sistema backend sin ser registrados en los registros del sistema."
    }
  ],
  "id": "CVE-2024-5514",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "twcert@cert.org.tw",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-30T03:15:08.467",
  "references": [
    {
      "source": "twcert@cert.org.tw",
      "url": "https://www.chtsecurity.com/news/2dde8d39-59fc-4c09-b4ad-0acf692321c5"
    },
    {
      "source": "twcert@cert.org.tw",
      "url": "https://www.chtsecurity.com/news/6b2393f5-3041-4011-b2ea-528e312c6b3c"
    },
    {
      "source": "twcert@cert.org.tw",
      "url": "https://www.twcert.org.tw/en/cp-139-7831-b9a46-2.html"
    },
    {
      "source": "twcert@cert.org.tw",
      "url": "https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html"
    }
  ],
  "sourceIdentifier": "twcert@cert.org.tw",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        },
        {
          "lang": "en",
          "value": "CWE-912"
        }
      ],
      "source": "twcert@cert.org.tw",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-5514 (GCVE-0-2024-5514)

BDU:2024-04399

FKIE_CVE-2024-5514

Tags

Sightings

Nomenclature