Multiple vulnerabilities in CIGESv2 system

Posted date 20/03/2024
Importance
5 - Critical
Affected Resources
  • CIGESv2
Description

INCIBE has coordinated the publication of 7 vulnerabilities, 3 of critical severity, 1 of high severity and 3 of medium severity, affecting the queue and appointment management system CIGESv2, which have been discovered by:

  • Óscar Atienza (CVE-2024-2722, CVE-2024-2723 and CVE-2024-2724).
  • Rubén López Herrera (CVE-2024-2725, CVE-2024-2726, CVE-2024-2727 and CVE-2024-2728).

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2024-2722 to CVE-2024-2724: 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-89
  • CVE-2024-2725: 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | CWE-200 
  • CVE-2024-2726: 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79 
  • CVE-2024-2727: 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | CWE-79 
  • CVE-2024-2728: 4.1 | CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N | CWE-200

Solution

All vulnerabilities have been fixed in the new product version, CIGESv3.

The manufacturer has developed a patch for those customers who have not migrated to the new version.

Detail
  • SQL injection vulnerability in the CIGESv2 system. This vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query. The list of assigned CVEs is as follows:
    • CVE-2024-2722: /ajaxConfigTotem.php, 'id' parameter.
    • CVE-2024-2723: /ajaxSubServicios.php, 'idServicio' parameter.
    • CVE-2024-2724: /ajaxServiciosAtencion.php, 'idServicio' parameter.
  • CVE-2024-2725: information exposure vulnerability in the CIGESv2 system. A remote attacker might be able to access /vendor/composer/installed.json and retrieve all installed packages used by the application.
  • CVE-2024-2726: Stored Cross-Site Scripting (Stored-XSS) vulnerability affecting the CIGESv2 system, allowing an attacker to execute and store malicious javascript code in the application form without prior registration.
  • CVE-2024-2727: HTML injection vulnerability affecting the CIGESv2 system, which allows an attacker to inject arbitrary code and modify elements of the website and email confirmation message.
  • CVE-2024-2728: information exposure vulnerability in the CIGESv2 system. This vulnerability could allow a local attacker to intercept traffic due to the lack of proper implementation of the TLS protocol.
References list
Product website
Etiquetas