Description

NGINX Plus is a software load balancer, web server, and content cache built on top of open source NGINX. NGINX Plus has exclusive enterprise grade features beyond what's available in the open source offering, including session persistence, configuration via API, and active health checks.

NGINX Plus comes with a Live Activity Monitoring web based dashboard. Acunetix determined that it was possible to access this dashboard without authentication.

It's recommended to restrict access to the NGINX+ Dashboard as it may contain information that could be useful for an attacker.

Remediation

Restrict access to the NGINX+ Dashboard.

References

Live Activity Monitoring

Related Vulnerabilities

TorchServe Management API publicly exposed

WordPress Plugin Doneren met Mollie Information Disclosure (2.8.4)

Joomla! Core 1.5.x Information Disclosure (1.5.0 - 1.5.23)

WordPress Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3818)

WordPress Plugin User Meta Manager Information Disclosure (3.4.7)

Severity

Medium

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure