CVE-2024-23733

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Software AG webMethods versions 10.15.0 before Core Fix7

Description The issue allows remote attackers to reach the administration panel and discover hostname and version information by sending an arbitrary username and a blank password to the "/WmAdmin/#/login/" API endpoint.

Recommendations For Software AG webMethods versions 10.15.0 before Core Fix7, consider disabling access to the "/WmAdmin/#/login/" API endpoint until a patch is available. Restrict the use of the username and password variables in this endpoint to minimize the risk of exploitation.

Exploit

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522

Related Identifiers

CVE-2024-23733

Affected Products

Webmethods

CVE-2024-23733

Weakness Enumeration

Related Identifiers

Affected Products

References · 7