Ehakkus

**Name of the Vulnerable Software and Affected Versions** Servisnet Tessa version 0.0.2 **Description** An issue was discovered that allows an attacker to add a new sysadmin user via a manipulation of the `Authorization` HTTP header. **Recommendations** For Servisnet Tessa version 0.0.2, consider restricting access to the Authorization HTTP header to prevent manipulation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Servisnet Tessa version 0.0.2 **Description** An issue was discovered where authorization data is available via an unauthenticated request to the "/data-service/users/" API endpoint. **Recommendations** For Servisnet Tessa version 0.0.2, consider restricting access to the "/data-service/users/" API endpoint to prevent unauthorized access to authorization data until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Netsia SEBA+ versions 0.16.1 and earlier, specifically build 70-e669dcd7 **Description** The issue allows remote attackers to discover session cookies via a direct "/session/list/allActiveSession" API endpoint request. This can lead to the discovery of the admin's cookie if the admin account is logged in when the request occurs, allowing the attacker to use that cookie immediately for admin access. **Recommendations** For Netsia SEBA+ versions 0.16.1 and earlier, consider restricting access to the "/session/list/allActiveSession" API endpoint to minimize the risk of exploitation. As a temporary workaround, limit the use of admin accounts when the allActiveSession request may occur. At the moment, there is no information about a newer version that contains a fix for this vulnerability.