Included in the critical flaws, which have been addressed in October, were reflected cross-site scripting issues, tracked as CVE-2023-48985 and CVE-2023-48986, which could be exploited to allow login credential interception and escalated privileges, respectively, a report from LMG Security revealed. Meanwhile, attacks targeting the blind SQL injection bug, tracked as CVE-2023-48987, could facilitate the exposure of a table with CUSG admin accounts' usernames and hashed passwords even without escalated privileges. "Impacted organizations should immediately upgrade to the latest software version and enable multi-factor authentication to prevent malicious actors who possess the 'ultra admin' password from logging into their CUSG CMS application portal," said LMG Security Consultant Emily Gosney.