Description

The Haproxy provides Data Plane API for accessing various information and configuring it. Acunetix determined that it was possible to access this API without authentication or using weak/known login and password.

Remediation

Restrict access to the Haproxy Data Plane API interface

References

Data Plane API Installation

Related Vulnerabilities

OpenSSL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-3195)

WordPress Plugin Simple History Information Disclosure (2.7.4)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-0724)

WordPress Plugin Customer Reviews for WooCommerce Multiple Vulnerabilities (5.3.5)

PHP register_globals enabled

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Tags

Default Credentials Weak Credentials Configuration Abuse Of Functionality