What are the critical vulnerabilities reported in CU Solutions Group (CUSG) CMS?

Three critical vulnerabilities reported in CU Solutions Group (CUSG) CMS include: CVE-2023-48987, a blind SQL injection bug with a CVSS score of 9.8, allowing full database access; CVE-2023-48985, a reflected cross-site scripting (XSS) bug with a CVSS score of 8.2, enabling credential interception; and CVE-2023-48986, another XSS flaw with a CVSS score of 8.2, allowing rights escalation within the admin portal.

What impact could these vulnerabilities have on credit unions using CUSG CMS?

These vulnerabilities could enable attackers to achieve 'ultra admin' privileges, leading to potential credential theft, account takeovers, and unauthorized access to sensitive data, affecting as many as 275 credit unions across the United States.

What steps should organizations take in response to these vulnerabilities?

Organizations using the affected versions of the CUSG CMS are advised to immediately upgrade to the latest software version, specifically version 7.75, and enable multi-factor authentication to mitigate the risks associated with these vulnerabilities.

Advisory

CU Solutions Group CMS vulnerabilties expose credit unions

published: Feb. 20, 2024

Take action: If you are using CU Solutions Group CMS, update to version 7.75 or later ASAP.

Learn More

CU Solutions Group (CUSG) CMS, a content management system tailored for credit unions, has reported three critical vulnerabilities that pose significant risks to as many as 275 credit unions across the United States.

The vulnerabilities were identified by LMG Security and include issues that could enable attackers to achieve "ultra admin" privileges, leading to potential credential theft and account takeovers.

CVE-2023-48987 (CVSS score 9.8), involves a blind SQL injection bug that could permit an authenticated attacker to gain full read/write access to the backend database. This particular bug could expose a table containing usernames and hashed passwords of CUSG administrative accounts, including the "ultra admin" password, a vendor backdoor account providing global access to all CMS installations.
CVE-2023-48985 (CVSS score 8.2), is a reflected cross-site scripting (XSS) bug on the admin portal login page, allowing an unauthenticated attacker to intercept login credentials.
CVE-2023-48986 (CVSS score 8.2), also an XSS flaw, could let attackers with basic access privileges escalate their rights within the admin portal.

Organizations using the affected versions of the CUSG CMS arew advised to immediately upgrade to the latest software version and enable multi-factor authentication. Updates are incorporated in version 7.75 of the CUSG CMS.

CU Solutions Group CMS vulnerabilties expose credit unions