Published: 22/09/2017 Updated: 05/10/2017

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 790

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

DenyAll WAF prior to 6.4.1 allows unauthenticated remote malicious users to obtain authentication information by making a typeOf=debug request to /webservices/download/index.php, and then reading the iToken field in the reply. This affects DenyAll i-Suite LTS 5.5.0 up to and including 5.5.12, i-Suite 5.6, Web Application Firewall 5.7, and Web Application Firewall 6.x prior to 6.4.1, with On Premises or AWS/Azure cloud deployments.

Vulnerable Product	Search on Vulmon	Subscribe to Product
denyall i-suite 5.5.11
denyall i-suite 5.5.10
denyall i-suite 5.5.9
denyall i-suite 5.5.0
denyall web application firewall 6.4.0
denyall web application firewall 6.3.0
denyall web application firewall 6.2.0
denyall web application firewall 6.1.0
denyall web application firewall 5.7.0
denyall i-suite 5.5.12
denyall web application firewall 6.0.0
denyall i-suite 5.6.0

CWE-287 https://www.denyall.com/blog/advisories/advisory-unauthenticated-remote-code-execution-denyall-web-application-firewall/https://pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/https://github.com/rapid7/metasploit-framework/pull/8980 https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2017-14706

Vulnerability Summary

Vulnerability Trend

References

Vulmon Search

About

Products

Connect