CVE-2020-12528 : Security Advisory and Response

An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. Improper use of access validation allows a logged-in user to kill web2go sessions in the account he should not have access to.

Understanding CVE-2020-12528

This CVE involves a vulnerability in MB connect line mymbCONNECT24 and mbCONNECT24 software that allows unauthorized users to terminate web2go sessions.

What is CVE-2020-12528?

CVE-2020-12528 is a security vulnerability found in versions up to V2.6.2 of MB connect line mymbCONNECT24 and mbCONNECT24 software. It enables a logged-in user to disrupt web2go sessions in accounts they should not have access to.

The Impact of CVE-2020-12528

The vulnerability has a CVSS base score of 6.5, indicating a medium severity issue. The impact includes a high availability impact, with low privileges required for exploitation.

Technical Details of CVE-2020-12528

This section provides more in-depth technical details about the CVE.

Vulnerability Description

The vulnerability stems from improper access validation, allowing unauthorized users to terminate web2go sessions in accounts they should not have access to.

Affected Systems and Versions

Product: mymbCONNECT24
Vendor: MB connect line
Versions affected: <= 2.6.2
Product: mbCONNECT24
Vendor: MB connect line
Versions affected: <= 2.6.2

Exploitation Mechanism

The vulnerability can be exploited by a logged-in user to disrupt web2go sessions in accounts they are not authorized to access.

Mitigation and Prevention

To address CVE-2020-12528, follow these mitigation steps:

Immediate Steps to Take

Update the software to version 2.7.1

Long-Term Security Practices

Regularly monitor and audit user access and privileges
Implement strong authentication mechanisms

Patching and Updates

Apply patches and updates promptly to ensure system security