Eaton Zveare

**Name of the Vulnerable Software and Affected Versions** BLUVOYIX (affected versions not specified) **Description** The software contains an improper authentication issue in its backend APIs. A remote attacker who does not have valid credentials can exploit this by sending crafted HTTP requests to the vulnerable APIs. Successful exploitation could grant the attacker full access to customer data and complete compromise of the platform. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BLUVOYIX (affected versions not specified) **Description** The software contains a flaw stemming from the exposure of sensitive internal API documentation. A remote attacker, without needing to authenticate, can exploit this by sending crafted HTTP requests to the exposed APIs. Successful exploitation could allow an attacker to damage the platform by misusing internal functionality. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BLUVOYIX (affected versions not specified) **Description** A flaw exists in BLUVOYIX due to inadequate authentication within the BLUVOYIX admin APIs. An attacker without authentication can exploit this by sending crafted HTTP requests to the vulnerable admin API. This allows the creation of a new user with administrative privileges, potentially granting the attacker full access to customer data and complete compromise of the platform. The vulnerable API allows unauthorized user creation with admin rights. The affected API endpoint is the BLUVOYIX admin API. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BLUVOYIX (affected versions not specified) **Description** A design flaw in the email sending API of BLUVOYIX allows an unauthenticated remote attacker to send specially crafted HTTP requests to the vulnerable API. Successful exploitation could enable the attacker to send unsolicited emails to any recipient on behalf of the company. The vulnerable API endpoint is the email sending API. The attack involves sending crafted HTTP requests. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BLUVOYIX (affected versions not specified) **Description** The software contains a flaw related to insecure password storage and exposure through unauthenticated APIs. An unauthenticated remote attacker could potentially retrieve plaintext passwords of users by sending crafted HTTP requests to the users API. Successful exploitation may grant the attacker full access to customer data and complete compromise of the platform, potentially through login using an exposed admin email address and password. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.