CVE-2019-9105

Name of the Vulnerable Software and Affected Versions WebApp version 04.68

Description The issue allows remote attackers to make several types of API calls without authentication. This can be demonstrated by retrieving password hashes via an API call to "inc/utils/REST API.php?command=CallAPI&customurl=alladminusers".

Recommendations For WebApp version 04.68, as a temporary workaround, consider restricting access to the inc/utils/REST API.php endpoint until a patch is available. Avoid using the command and customurl parameters in the affected API endpoint until the issue is resolved.