"Vulnerabilities in CUSG CMS Exposed Credit Unions to Attacks"

According to security researchers at LMG Security, three vulnerabilities in the CU Solutions Group (CUSG) content management system (CMS) could have been exploited by hackers in attacks aimed at credit unions.  CUSG provides technology and services tailored to credit unions, including a CMS solution that automates content management and usage traffic without technical expertise.  According to the researchers, CUSG CMS iterations prior to version 7.75 are impacted by three critical vulnerabilities that could allow an attacker to obtain "ultra admin" privileges, thus gaining access to any credit union account that is not protected by multi-factor authentication (MFA).  The first issue tracked as CVE-2023-48985, is described as a reflected cross-site scripting (XSS) bug in the admin portal login page that could allow an unauthenticated attacker to intercept login credentials.  The second flaw, also a reflected XSS defect, is tracked as CVE-2023-48986 and could allow an attacker with access to a low-privileged account to elevate their privileges and "perform unintended actions within the admin portal." The third vulnerability, tracked as CVE-2023-48987, is a blind SQL injection bug in the admin portal that could be exploited by an authenticated attacker to "gain full read/write access to the backend database." The researchers stated that impacted organizations should immediately upgrade to the latest software version and enable multi-factor authentication to prevent malicious actors who possess the "ultra admin" password from logging into their CUSG CMS application portal.  LMG Security reported the vulnerabilities to CUSG in October 2023 and noted that fixes have been included in CUSG CMS version 7.75.

SecurityWeek reports: "Vulnerabilities in CUSG CMS Exposed Credit Unions to Attacks"