PT-2015-6390 · Acunetix · Acunetix Web Vulnerability Scanner

Daniele Linguaglossa

Published

2015-12-17

Updated

2020-08-03

CVE-2015-4027

CVSS v2.0

7.2

High

Vector

AV:L/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Acunetix Web Vulnerability Scanner (WVS) versions prior to 10 build 20151125

Description The issue allows local users to gain privileges via a command parameter in the reporttemplate property in a params JSON object to the "api/addScan" API endpoint.

Recommendations For versions prior to 10 build 20151125, update to a version newer than 10 build 20151125 to resolve the issue. As a temporary workaround, consider restricting access to the "api/addScan" API endpoint to minimize the risk of exploitation. Avoid using the reporttemplate property in the params JSON object until the issue is resolved.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264

Related Identifiers

CVE-2015-4027

Affected Products

Acunetix Web Vulnerability Scanner

PT-2015-6390 · Acunetix · Acunetix Web Vulnerability Scanner

CVE-2015-4027

Weakness Enumeration

Related Identifiers

Affected Products

References · 4