Shubhangborkar

Name of the Vulnerable Software and Affected Versions: Aikaan IoT management platform version 3.25.0325-5-g2e9c59796 Description: The Aikaan IoT management platform sends newly generated passwords to users in plaintext via email. The same password is also included as a query parameter in the account activation URL, such as `/activate=xyz`. This can lead to password exposure through browser history, proxy logs, referrer headers, and email caching, impacting user credential confidentiality during initial onboarding. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Aikaan IoT management platform version 3.25.0325-5-g2e9c59796 Description: The Aikaan IoT management platform allows unauthenticated users to register accounts via APIs, even when user sign-up is disabled through the user interface. This bypasses intended access controls and allows unauthorized access to admin portals. The sign-up `API endpoint` remains publicly accessible and functional despite the configuration to disable user sign-up on the login page UI. Recommendations: Disable the sign-up `API endpoint` to prevent unauthorized account creation.