Updates

The vulnerabilities are also present on the latest version of Sipwise C5 mr12.2.1.

CVE-2024-28344 – Open Redirect

An Open Redirect vulnerability was found in Sipwise C5 NGCP Dashboard below mr11.5.1. In order to exploit this vulnerability, an authenticated user has to access the Old Admin Panel and to modify the “back” parameter from the URL. This parameter can be found in some of the endpoints used for the normal functionality. An example of the malicious URL will look like this:

The “back” parameter has to be double URL encoded.

A Proof of Concept can be found in the next screenshots:

Image from the web application
Image of the request

CVE-2024-28344 – Impact

The impact of CVE-2024-28344, is that an authenticated user can send this crafted URL, containing the malicious target in “back” parameter, to a victim. The victim accesses the URL and then if clicks the “Back” button, it will be automatically redirected to the malicious target.

CVE-2024-28345 – Broken Access Control

A Broken Access Control vulnerability was found in Sipwise C5 NGCP Dashboard below mr11.5.1 and allows a low privileged user to access the Journal endpoint by visiting the proper URL. The Journal functionality allows users with admin rights to verify what changes have been made on a specific account.

A Proof of Concept can be found in the next screenshot:

Journal endpoint accessed directly via URL

URL used: https://IP:1443/v2/#/administrator/52/journal

Every time the ID of the user is changed, the URL must be visited from the main page (https://IP:1443/) or from a new tab, in order to access it successfully.

CVE-2024-28345 – Impact

The impact of CVE-2024-28345, is that an authenticated low privileged user is able to access the Journal option by visiting the URL directly. With this access, a bad actor can find information about users, such as username, email or role.