Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Software AG WebMethods access control
Vulnerability Description
A vulnerability classified as critical has been found in Software AG WebMethods 10.11.x/10.15.x. Affected is an unknown function of the file wm.server/connect/. The manipulation leads to improper access controls. It is possible to launch the attack remotely. To access a file like /assets/ a popup may request username and password. By just clicking CANCEL you will be redirected to the directory. If you visited /invoke/wm.server/connect, you'll be able to see details like internal IPs, ports, and versions. In some cases if access to /assets/ is refused, you may enter /assets/x as a wrong value, then come back to /assets/ which we will show the requested data. It appears that insufficient access control is depending on referrer header data. VDB-247158 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Vulnerability Type
访问控制不恰当
Vulnerability Title
Software AG webMethods 访问控制错误漏洞
Vulnerability Description
Software AG webMethods是Software AG公司的一套集成和应用程序开发工具,用于帮助组织实现应用程序集成、数据集成、业务流程管理和应用程序开发等任务。webMethods 旨在帮助企业更好地管理其IT生态系统,提高效率,加速业务流程,并实现数字化转型。 Software AG WebMethods 10.11.x版本和10.15.x版本存在访问控制错误漏洞,该漏洞源于文件wm.server/connect/会导致不正确的访问控制。
CVSS Information
N/A
Vulnerability Type
N/A