WebErpMesv2 allows unauthenticated API Access

WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies, quotes, orders, tasks, and whiteboards. Limited write access allows creation of company records and full manipulation of collaboration whiteboards. This vulnerability is fixed in 1.19.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

关键功能的认证机制缺失

WebErpMesv2 访问控制错误漏洞

WebErpMesv2是Kevin个人开发者的一个面向工业的资源管理和制造的Web系统。 WebErpMesv2 1.19之前版本存在访问控制错误漏洞，该漏洞源于多个敏感API端点未使用身份验证中间件，可能导致未经身份验证的远程攻击者读取关键业务数据。

N/A

N/A