漏洞标题
N/A
漏洞描述信息
"** UNSUPPORTED When ASSIGNED ** 在ARCHIBUS Web Central 21.3.3.815(一个2014年版本的版本)中,/archibus/login.axvw Web应用程序将一个会话令牌分配给/archibus/login.axvw文件。因此,可以通过不知道密码的用户访问应用程序,而无需测试人员修改应用程序逻辑。也可以在客户端设置会话令牌的值,只需向HomePage发送一个未验证的GET请求并给JSESSIONID字段添加任意值。在登录后,应用程序不会分配新的令牌,将继续保留插入的令牌,作为整个会话的标识符。此问题在所有最近的版本中都得到了修复,如版本26。注意:此漏洞只影响不再维护的产品。到2020年底,21.3版本正式停止支持。"
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), the Web Application in /archibus/login.axvw assign a session token that could be already in use by another user. It was therefore possible to access the application through a user whose credentials were not known, without any attempt by the testers to modify the application logic. It is also possible to set the value of the session token, client-side, simply by making an unauthenticated GET Request to the Home Page and adding an arbitrary value to the JSESSIONID field. The application, following the login, does not assign a new token, continuing to keep the inserted one, as the identifier of the entire session. This is fixed in all recent versions, such as version 26. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Version 21.3 was officially de-supported by the end of 2020
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
ARCHIBUS Web Central 授权问题漏洞
漏洞描述信息
ARCHIBUS Web Central是ARCHIBUS的一个web网络管理中心,在直观的 Web 浏览器界面中组织设施和基础设施管理任务。所有基础设施数据都存储在一个集中存储库中,以便来自世界任何地方的授权用户都可以输入、编辑和监控这些数据。 ARCHIBUS Web Central 21.3.3.815(2014 年的版本)中存在安全漏洞,该漏洞源于/archibus/login.axvw 中的 Web 应用程序分配一个会话令牌,该令牌可能已被其他用户使用。
CVSS信息
N/A
漏洞类别
授权问题