Description

The Haproxy provides Data Plane API for accessing various information and configuring it. Acunetix determined that it was possible to access this API without authentication or using weak/known login and password.

Remediation

Restrict access to the Haproxy Data Plane API interface

References

Data Plane API Installation

Related Vulnerabilities

phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-8669)

WordPress Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-5835)

WordPress 4.5.x Multiple Vulnerabilities (4.5 - 4.5.2)

WordPress Plugin Shopp Multiple Vulnerabilities (1.0.17)

MySQL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-8286)

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Tags

Default Credentials Weak Credentials Configuration Abuse Of Functionality