Description

Invicti determined that it is possible to access an installer of the web application without authentication. Depending on the installer, an attacker can takeover of the server.

Remediation

Restrict access to the installer

References

OWASP Authentication Cheat Sheet

Related Vulnerabilities

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-5473)

IIS extended unicode directory traversal vulnerability

PostgreSQL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-15099)

Joomla 1.5 end of life

silverstripeCMS Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2013-6789)

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Insecure Admin Access Configuration