CVE-2018-15658

Name of the Vulnerable Software and Affected Versions 42Gears SureMDM versions prior to 2018-11-27

Description An issue was discovered that allows an attacker to see the markup presented to an authenticated user by visiting the "/console/ConsolePage/Master.html" API endpoint. This occurs because session validation happens after the initial markup is loaded, resulting in the disclosure of unprotected API endpoints. These endpoints reveal sensitive data, including call logs, SMS logs, and user-account information.

Recommendations For versions prior to 2018-11-27, update to a version released after 2018-11-27 to resolve the issue. As a temporary workaround, consider restricting access to the "/console/ConsolePage/Master.html" endpoint until a patch is available. Additionally, limit access to the disclosed API endpoints to minimize the risk of data exposure.