Multiple vulnerabilities in Amssplus' AMSS++

Posted date 18/03/2024
5 - Critical
Affected Resources
  • AMSS++, 4.31 version.

INCIBE has coordinated the publication of 16 vulnerabilities affecting AMSS++, a tool for the office management support system of the educational services area of Amssplus: 1 of critical severity and 15 of high severity, which have been discovered by Rafael Pedrero.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • For the 9 SQL injection vulnerabilities:
    • CVE-2024-2584 to CVE-2024-2592: 8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | CWE-89
  • For the 8 Cross-Site Scripting vulnerabilities:
    • CVE-2024-2593 to CVE-2024-2698: 7.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L | CWE-79
  • For the remaining vulnerability:
    • CVE-2024-2599: 9.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | CWE-434

There is no reported solution at this time.

  • Vulnerability in AMSS++ version 4.31 that allows SQL injection through different parameters. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the DB. The list of assigned CVE codes is as follows:
    • CVE-2024-2584: /amssplus/modules/book/main/select_send.php, 'sd_index' parameter.
    • CVE-2024-2585: /amssplus/modules/book/main/select_send_2.php, 'sd_index' parameter.
    • CVE-2024-2586: /amssplus/index.php, 'username' parameter.
    • CVE-2024-2587: /amssplus/modules/book/main/bookdetail_khet_person.php, multiple parameters.
    • CVE-2024-2588: /amssplus/admin/index.php, 'id' parameter.
    • CVE-2024-2589: /amssplus/modules/book/main/bookdetail_school_person.php, multiple parameters.
    • CVE-2024-2590: /amssplus/modules/mail/main/select_send.php, 'sd_index' parameter.
    • CVE-2024-2591: /amssplus/modules/book/main/bookdetail_group.php, multiple parameters.
    • CVE-2024-2592: /amssplus/modules/person/pic_show.php, 'person_id' parameter.
  • Vulnerability in AMSS++ version 4.31, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials. The list of assigned CVE codes is as follows:
    • CVE-2024-2593: /amssplus/modules/book/main/bookdetail_group.php, 'b_id' parameter.
    • CVE-2024-2594: /amssplus/admin/index.php, multiple parameters.
    • CVE-2024-2595: /amssplus/modules/book/main/bookdetail_khet_person.php, 'b_id' parameter.
    • CVE-2024-2596: /amssplus/modules/mail/main/select_send.php, multiple parameters.
    • CVE-2024-2597: /amssplus/modules/book/main/bookdetail_school_person.php, 'b_id' parameter.
    • CVE-2024-2598: /amssplus/modules/book/main/select_send_2.php, multiple parameters.
  • CVE-2024-2599: file upload restriction evasion vulnerability in AMSS++ version 4.31. This vulnerability could allow an authenticated user to potentially obtain RCE through webshell, compromising the entire infrastructure.