Up to 275 credit unions across the U.S. could have been compromised in account takeover and credential theft attacks due to critical vulnerabilities in the CU Solutions Group content management system that could be leveraged for "ultra admin" privileges, reports SecurityWeek.
Included in the critical flaws, which have been addressed in October, were reflected cross-site scripting issues, tracked as CVE-2023-48985 and CVE-2023-48986, which could be exploited to allow login credential interception and escalated privileges, respectively, a report from LMG Security revealed. Meanwhile, attacks targeting the blind SQL injection bug, tracked as CVE-2023-48987, could facilitate the exposure of a table with CUSG admin accounts' usernames and hashed passwords even without escalated privileges. "Impacted organizations should immediately upgrade to the latest software version and enable multi-factor authentication to prevent malicious actors who possess the 'ultra admin' password from logging into their CUSG CMS application portal," said LMG Security Consultant Emily Gosney.
Included in the critical flaws, which have been addressed in October, were reflected cross-site scripting issues, tracked as CVE-2023-48985 and CVE-2023-48986, which could be exploited to allow login credential interception and escalated privileges, respectively, a report from LMG Security revealed. Meanwhile, attacks targeting the blind SQL injection bug, tracked as CVE-2023-48987, could facilitate the exposure of a table with CUSG admin accounts' usernames and hashed passwords even without escalated privileges. "Impacted organizations should immediately upgrade to the latest software version and enable multi-factor authentication to prevent malicious actors who possess the 'ultra admin' password from logging into their CUSG CMS application portal," said LMG Security Consultant Emily Gosney.
