Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), the Web Application in /archibus/login.axvw assign a session token that could be already in use by another user. It was therefore possible to access the application through a user whose credentials were not known, without any attempt by the testers to modify the application logic. It is also possible to set the value of the session token, client-side, simply by making an unauthenticated GET Request to the Home Page and adding an arbitrary value to the JSESSIONID field. The application, following the login, does not assign a new token, continuing to keep the inserted one, as the identifier of the entire session. This is fixed in all recent versions, such as version 26. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Version 21.3 was officially de-supported by the end of 2020
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
ARCHIBUS Web Central 授权问题漏洞
Vulnerability Description
ARCHIBUS Web Central是ARCHIBUS的一个web网络管理中心,在直观的 Web 浏览器界面中组织设施和基础设施管理任务。所有基础设施数据都存储在一个集中存储库中,以便来自世界任何地方的授权用户都可以输入、编辑和监控这些数据。 ARCHIBUS Web Central 21.3.3.815(2014 年的版本)中存在安全漏洞,该漏洞源于/archibus/login.axvw 中的 Web 应用程序分配一个会话令牌,该令牌可能已被其他用户使用。
CVSS Information
N/A
Vulnerability Type
N/A