Multiple vulnerabilities on Meta4 HR from Cegid

Posted date 19/03/2024
Importance
5 - Critical
Affected Resources

Meta4 HR, version 819.001.022 and earlier.

Description

INCIBE has coordinated the publication of 5 vulnerabilities that affects Meta4 HR from Cegid, hardware device to emit light and vehicle positioning signals, with one critical, two high and two medium severities, which has been discovered by:

  • Pedro Jose Navas Pérez from Hispasec y Jesús Antón (CVE-2024-2632).
  • Pedro Jose Navas Pérez from Hispasec (CVE-2024-2633 y CVE-2024-2634).
  • Jesús Antón (CVE-2024-2635 y CVE-2024-2636).

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and the CWE vulnerability type of each vulnerability:

  • CVE-2024-2632: 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | CWE-200
  • CVE-2024-2633: 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79
  • CVE-2024-2634: 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79
  • CVE-2024-2635: 7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | CWE-698
  • CVE-2024-2636: 9.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H | CWE-434
     
Solution
  • CVE-2024-2632 y CVE-2024-2633: The Meta4 HR system administrator should remove the following pages from the web servers facing the Internet: From M4WebServices: The folder "sitetest" (containing the dumpenv.jsp page) From M4Gateway: The page dump.jsp In future releases of Cegid Meta4 HR, these pages will be removed from the distribution since they do not offer real functionality.
  • CVE-2024-2634: Any product with all fixes applied after 2013 is not vulnerable to this XSS.
  • CVE-2024-2635: The configuration pages available are not intended to be placed on an Internet facing web server, as they expose file paths to the client, who can be an attacker. Instead of rewriting these pages to avoid this vulnerability, they will be dismissed from future releases of Cegid Meta4 HR, as they do not offer product functionality.
  • CVE-2024-2636: The Meta4 HR system administrator should remove the following pages from the web servers facing the Internet: From M4WebServices: The folder "config" (containing the webappconfig.jsp page). In future releases of Cegid Meta4 HR, these pages will be removed from the default distribution, so that there is not a real possibility of being left on an Internet facing production server.
     
Detail
  • CVE-2024-2632: A Information Exposure Vulnerability has been found on Meta4 HR. This vulnerability allows an attacker to obtain a lot of information about the application such as the variables set in the process, the Tomcat versions, library versions and underlying operation system via HTTP GET '/sitetest/english/dumpenv.jsp'.
  • CVE-2024-2633: A Cross-Site Scripting Vulnerability has been found on Meta4 HR affecting version 819.001.022 and earlier. The endpoint '/sitetest/english/dumpenv.jsp' is vulnerable to XSS attack by 'lang' query, i.e. '/sitetest/english/dumpenv.jsp?snoop=yes&lang=%27%3Cimg%20src/onerror=alert(1)%3E&params'.
  • CVE-2024-2634: A Cross-Site Scripting Vulnerability has been found on Meta4 HR affecting version 819.001.022 and earlier. The endpoint '/sse_generico/generico_login.jsp' is vulnerable to XSS attack via 'lang' query, i.e. '/sse_generico/generico_login.jsp?lang=%27%3balert(%27BLEUSS%27)%2f%2f&params='.
  • CVE-2024-2635: A vulnerability has been discovered in Cegid Meta4 HR that consists of execution after redirect. This vulnerability could allow an attacker to bypass the security measures of the applications by accessing the 'webappconfig.jsp' file directly and canceling the redirect request, leading to the configuration file inside the application, in which an attacker could modify different parameters.
  • CVE-2024-2636:  An Unrestricted Upload of File vulnerability has been found on Cegid Meta4 HR, that allows an attacker to upload malicios files to the server via '/config/espanol/update_password.jsp' file. Modifying the 'M4_NEW_PASSWORD' parameter, an attacker could store a malicious JSP file inside the file directory, to be executed the the file is loaded in the application.
References list
Etiquetas