Multiple vulnerabilities in HubBank

Posted date 29/04/2024
Importance
5 - Critical
Affected Resources
  • HubBank, 1.0.2 version.
Description

INCIBE has coordinated the publication of 5 vulnerabilities, 1 of critical severity, 3 of high severity and 1 of medium severity, affecting HubBank of Ofofonobs version 1.0.2, an online banking script with SMS and email notifications, which have been discovered by David Utón Amaya.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2024-4306: 9.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | CWE-434
  • CVE-2024-4307 a CVE-2024-4309: 8.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N | CWE-89
  • CVE-2024-4310: 6.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L | CWE-79
Solution

There is no reported solution at this time.

Detail
  • CVE-2024-4306: critical unrestricted file upload vulnerability in HubBank affecting version 1.0.2. This vulnerability allows a registered user to upload malicious PHP files via upload document fields, resulting in webshell execution.
  • SQL injection vulnerability in HubBank affecting version 1.0.2. This vulnerability could allow an attacker to send a specially crafted SQL query to the database through different endpoints and retrieve the information stored in the database. The following identifiers have been assigned:
    • CVE-2024-4307: endpoints /accounts/activities.php?id=1, /accounts/view-deposit.php?id=1, /accounts/view_cards. php?id=1, /accounts/wire-transfer.php?id=1 and /accounts/wiretransfer-pending.php?id=1, id parameter.
    • CVE-2024-4308: endpoints /admin/view_users.php?id=1, /admin/viewloan-trans.php?id=1, /admin/view -deposit.php?id=1, /admin/view-domtrans.php?id=1, /admin/delete_cards.php?id=1, /admin/view_cards.php?id=1 and  /admin/view_users.php?id=1, id parameter.
    • CVE-2024-4309: endpoints /user/transaction.php?id=1,/user/credit-debit_transaction.php?id=1, /user/view_transaction. php?id=1 and  /user/viewloantrans.php?id=1, id parameter.
  • CVE-2024-4310: Cross-site Scripting (XSS) vulnerability in HubBank affecting version 1.0.2. This vulnerability allows an attacker to send a specially crafted JavaScript payload to registration and profile forms and trigger the payload when any authenticated user loads the page, resulting in a session takeover.
References list
HubBank - Online Net Banking PHP Script
Etiquetas