Authentication flaw

2017-09-2218:29:00

PRIOn knowledge base

www.prio-n.com

8 High

AI Score

Confidence

High

0.752 High

EPSS

Percentile

98.2%

JSON

DenyAll WAF before 6.4.1 allows unauthenticated remote attackers to obtain authentication information by making a typeOf=debug request to /webservices/download/index.php, and then reading the iToken field in the reply. This affects DenyAll i-Suite LTS 5.5.0 through 5.5.12, i-Suite 5.6, Web Application Firewall 5.7, and Web Application Firewall 6.x before 6.4.1, with On Premises or AWS/Azure cloud deployments.

CPENameOperatorVersion
i-suiteeq5.6.0
i-suiteeq5.5.12
i-suiteeq5.5.11
i-suiteeq5.5.10
i-suiteeq5.5.9
i-suiteeq5.5.0
web_application_firewalleq6.4.0
web_application_firewalleq6.3.0
web_application_firewalleq6.2.0
web_application_firewalleq6.1.0

Name	Operator	Version
i-suite	eq	5.6.0
i-suite	eq	5.5.12
i-suite	eq	5.5.11
i-suite	eq	5.5.10
i-suite	eq	5.5.9
i-suite	eq	5.5.0
web_application_firewall	eq	6.4.0
web_application_firewall	eq	6.3.0
web_application_firewall	eq	6.2.0
web_application_firewall	eq	6.1.0