FKIE_CVE-2024-5514

Vulnerability from fkie_nvd - Published: 2024-05-30 03:15 - Updated: 2026-04-15 00:35
Severity
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
MinMax CMS from MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs.
References
twcert@cert.org.twhttps://www.chtsecurity.com/news/2dde8d39-59fc-4c09-b4ad-0acf692321c5
twcert@cert.org.twhttps://www.chtsecurity.com/news/6b2393f5-3041-4011-b2ea-528e312c6b3c
twcert@cert.org.twhttps://www.twcert.org.tw/en/cp-139-7831-b9a46-2.html
twcert@cert.org.twhttps://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html
af854a3a-2127-422b-91ae-364da2661108https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "MinMax CMS from\u00a0MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs."
    },
    {
      "lang": "es",
      "value": "MinMax CMS de MinMax Digital Technology contiene una cuenta de administrador oculta con una contrase\u00f1a fija que no se puede eliminar ni deshabilitar desde la interfaz de administraci\u00f3n. Los atacantes remotos que obtienen esta cuenta pueden eludir las restricciones de control de acceso a IP e iniciar sesi\u00f3n en el sistema backend sin ser registrados en los registros del sistema."
    }
  ],
  "id": "CVE-2024-5514",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "twcert@cert.org.tw",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-30T03:15:08.467",
  "references": [
    {
      "source": "twcert@cert.org.tw",
      "url": "https://www.chtsecurity.com/news/2dde8d39-59fc-4c09-b4ad-0acf692321c5"
    },
    {
      "source": "twcert@cert.org.tw",
      "url": "https://www.chtsecurity.com/news/6b2393f5-3041-4011-b2ea-528e312c6b3c"
    },
    {
      "source": "twcert@cert.org.tw",
      "url": "https://www.twcert.org.tw/en/cp-139-7831-b9a46-2.html"
    },
    {
      "source": "twcert@cert.org.tw",
      "url": "https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html"
    }
  ],
  "sourceIdentifier": "twcert@cert.org.tw",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        },
        {
          "lang": "en",
          "value": "CWE-912"
        }
      ],
      "source": "twcert@cert.org.tw",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.