CVE-2019-6716

Name of the Vulnerable Software and Affected Versions LogonBox Nervepoint Access Manager versions 2013 through 2017

Description The issue is related to an unauthenticated Insecure Direct Object Reference (IDOR) in Wicket Core. This allows a remote attacker to enumerate internal Active Directory usernames and group names. Additionally, it enables the alteration of back-end server jobs, including backup and synchronization jobs, potentially leading to a Denial of Service attack. This can be achieved by modifying the jobId parameter in a "runJob.html" GET request.

Recommendations For LogonBox Nervepoint Access Manager versions 2013 through 2017, consider restricting access to the "runJob.html" endpoint to prevent unauthorized modifications to server jobs. As a temporary workaround, avoid using the jobId parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.