Vulnerability Summary
The WAF rule protecting the admin panel at /admin/* can be bypassed by URL-encoding any single character in the path. Where a direct request to the admin login is redirected away, an encoded variant (e.g. %61dmin → admin) passes straight through and renders the full admin login form.
The exposed login then has effectively no bot protection: its reCAPTCHA v3 is wired up with an empty sitekey, so it never initializes or validates. Combined with no observed rate-limiting, this leaves the admin auth endpoint open to unlimited automated login attempts.
Separately, a production JavaScript bundle leaks an internal employee email address (a plausible valid admin username) along with an Azure AD tenant ID, both embedded in a Microsoft SafeLinks URL that had been pasted in place of the analytics host.
[REDACTED-HOST] — Symfony-based admin panel (primary)
pyus3rAn unauthenticated AEM Sling servlet exposes four CRUD operations (getData / getDataById / setData / updateData) on the internal marketing-campaign database via a single option request header. The only access control is a Referer string check that any HTTP client trivially bypasses. Anonymous attackers can read the full 79-campaign dataset (including internal segmentation logic and the names of internal prospect databases), create arbitrary new campaigns in the production backoffice, and overwrite existing real production campaigns.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3676308 by glferreira-devsecops
pyus3rA vulnerability was identified where an authenticated user could disable Multi-Factor Authentication (MFA) on their own account by modifying hidden account attributes through a backend API endpoint. This allowed subsequent logins without an MFA prompt, effectively bypassing the security control and increasing the risk of unauthorized access in the event of credential compromise.
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In