Critical Web Application Vulnerabilities Threatening Credit Unions Uncovered by LMG Security

February 15, 2024

LMG Security, a leading cybersecurity consulting company, has identified three critical software vulnerabilities posing a substantial threat to hundreds of U.S. organizations. The vulnerabilities were discovered by Emily Gosney, an LMG Security cybersecurity consultant, in a web application widely used by credit unions for content management. A malicious user could exploit these vulnerabilities to gain 'ultra admin' access to any organization using this application.

The vulnerabilities have been assigned the following CVE IDs: CVE-2023-48985, a reflected cross-site scripting vulnerability in the CMS admin portal login page; CVE-2023-48986, a reflected cross-site scripting vulnerability within the CMS admin portal; and CVE-2023-48987, a blind SQL injection vulnerability within the CMS admin portal. These vulnerabilities could enable a malicious actor to intercept login credentials, elevate privileges, or gain full read/write access to the backend database, thereby obtaining the 'ultra admin' password.

Gosney warns that the 'ultra admin' account is a vendor backdoor account that grants access to every global installation of this application. An outdated version of this application in one organization could jeopardize all other users, including those on the latest version. To mitigate this risk, Gosney advises affected organizations to immediately upgrade to the latest software version and enable multi-factor authentication.

The discovery was reported to the application provider with more than a standard 90-day window to rectify the issue before this announcement. Gosney further recommends organizations to maintain vigilance about supplier security standards and to conduct penetration testing that includes web application and cloud environments at least annually.

LMG Security's identification and disclosure of these vulnerabilities underscore its commitment to cybersecurity and a safer, more secure web. The software provider may have addressed these vulnerabilities in its application v7.75. LMG Security, a recognized leader in cybersecurity consulting, specializes in penetration testing, advisory and compliance services, cybersecurity solutions, and training.

Latest News

• CISA Issues Alert on Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability
• Critical Security Flaws Leave Over 13,000 Ivanti Gateways at Risk
• CISA Adds Two Microsoft Windows Bugs to Its Known Exploited Vulnerabilities Catalog
• Microsoft Warns of Critical Exchange Server Bug Exploited as Zero-Day
• Critical Privilege Elevation Flaw in Zoom's Windows App Patched