Qahramon Choriyev

**Name of the Vulnerable Software and Affected Versions** Nefteprodukttekhnika BUK TS-G Gas Station Automation System versions 2.9.1 through 2.10.2 **Description** An improper authentication issue exists in the system configuration module. The '/php/ajax-login.php' endpoint returns `userid=1` (administrator) when receiving any HTTP POST request with arbitrary credentials via the `login` and `pwd` parameters. Furthermore, privileged endpoints under '/php/ajax-main.php' and '/modules/*' fail to validate server-side sessions. This allows a remote unauthenticated attacker to perform administrative actions, such as reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.