Jan Syski Megabip vulnerabilities
11 known vulnerabilities affecting jan_syski/megabip.
Total CVEs
11
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH2MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2024-1659P2CRITICALCVSS 9.8≤ 5.102024-06-12
CVE-2024-1659 [CRITICAL] CWE-434 CVE-2024-1659: Arbitrary File Upload vulnerability in MegaBIP software allows attacker to upload any file to the se
Arbitrary File Upload vulnerability in MegaBIP software allows attacker to upload any file to the server (including a PHP code file) without an authentication. This issue affects MegaBIP software versions through 5.10.
nvd
CVE-2024-1577P2CRITICALCVSS 9.8≤ 5.11.22024-06-12
CVE-2024-1577 [CRITICAL] CWE-94 CVE-2024-1577: Remote Code Execution vulnerability in MegaBIP software allows to execute arbitrary code on the serv
Remote Code Execution vulnerability in MegaBIP software allows to execute arbitrary code on the server without requiring authentication by saving crafted by the attacker PHP code to one of the website files. This issue affects MegaBIP software versions through 5.11.2.
nvd
CVE-2024-1576P3CRITICALCVSS 9.8≤ 5.092024-06-12
CVE-2024-1576 [CRITICAL] CWE-89 CVE-2024-1576: SQL Injection vulnerability in MegaBIP software allows attacker to obtain site administrator privile
SQL Injection vulnerability in MegaBIP software allows attacker to obtain site administrator privileges, including access to the administration panel and the ability to change the administrator password. This issue affects MegaBIP software versions through 5.09.
nvd
CVE-2024-6160P3CRITICALCVSS 9.3≤ 5.12.12024-06-24
CVE-2024-6160 [CRITICAL] CWE-89 CVE-2024-6160: SQL Injection vulnerability in MegaBIP software allows attacker to disclose the contents of the data
SQL Injection vulnerability in MegaBIP software allows attacker to disclose the contents of the database, obtain session cookies or modify the content of pages. This issue affects MegaBIP software versions through 5.12.1.
nvd
CVE-2025-3895P3CRITICALCVSS 9.1≤ 5.192025-05-23
CVE-2025-3895 [CRITICAL] CWE-334 CVE-2025-3895: Token used for resetting passwords in MegaBIP software are generated using a small space of random v
Token used for resetting passwords in MegaBIP software are generated using a small space of random values combined with a queryable value.
It allows an unauthenticated attacker who know user login names to brute force these tokens and change account passwords (including these belonging to administrators).
Version 5.20 of MegaBIP fixes this issue.
nvd
CVE-2024-6527P3CRITICALCVSS 9.3≤ 5.132024-07-09
CVE-2024-6527 [CRITICAL] CWE-89 CVE-2024-6527: SQL Injection vulnerability in parameter "w" in file "druk.php" in MegaBIP software allows unauthori
SQL Injection vulnerability in parameter "w" in file "druk.php" in MegaBIP software allows unauthorized attacker to disclose the contents of the database and obtain administrator's token to modify the content of pages. This issue affects MegaBIP software versions through 5.13.
nvd
CVE-2025-3893P3HIGHCVSS 8.6≤ 5.192025-05-23
CVE-2025-3893 [HIGH] CWE-89 CVE-2025-3893: While editing pages managed by MegaBIP a user with high privileges is prompted to give a reasoning f
While editing pages managed by MegaBIP a user with high privileges is prompted to give a reasoning for performing this action. Input provided by the the user is not sanitized, leading to SQL Injection vulnerability.
Version 5.20 of MegaBIP fixes this issue.
nvd
CVE-2024-6662P3HIGHCVSS 8.7fixed in 5.152025-01-10
CVE-2024-6662 [HIGH] CWE-352 CVE-2024-6662: Websites managed by MegaBIP in versions below 5.15 are vulnerable to Cross-Site Request Forgery (CSR
Websites managed by MegaBIP in versions below 5.15 are vulnerable to Cross-Site Request Forgery (CSRF) as the form available under "/edytor/index.php?id=7,7,0" lacks protection mechanisms.
A user could be tricked into visiting a malicious website, which would send POST request to this endpoint. If the victim is a logged in administrator, this could lead
nvd
CVE-2024-6880P3MEDIUMCVSS 6.9fixed in 5.152025-01-10
CVE-2024-6880 [MEDIUM] CWE-538 CVE-2024-6880: During MegaBIP installation process, a user is encouraged to change a default path to administrative
During MegaBIP installation process, a user is encouraged to change a default path to administrative portal, as keeping it secret is listed by the author as one of the protection mechanisms.
Publicly available source code of "/registered.php" discloses that path, allowing an attacker to attempt further attacks.
This issue affects MegaBIP software ver
nvd
CVE-2023-5378P4MEDIUMCVSS 5.4≤ 4.36.22024-01-29
CVE-2023-5378 [MEDIUM] CWE-79 CVE-2023-5378: Improper Input Validation vulnerability in MegaBIP and already unsupported SmodBIP software allows
Improper Input Validation vulnerability in MegaBIP and already unsupported SmodBIP software allows for Stored XSS.This issue affects SmodBIP in all versions and MegaBIP in versions up to 4.36.2. MegaBIP 5.08 was tested and is not vulnerable. A precise range of vulnerable versions remains unknown.
nvd
CVE-2025-3894P4MEDIUMCVSS 4.8≤ 5.192025-05-23
CVE-2025-3894 [MEDIUM] CWE-79 CVE-2025-3894: Text editor embedded into MegaBIP software does not neutralize user input allowing Stored XSS attack
Text editor embedded into MegaBIP software does not neutralize user input allowing Stored XSS attacks on other users. In order to use the editor high privileges are required.
Version 5.20 of MegaBIP fixes this issue.
nvd