Vulnerability Details CVE-2022-35413
WAPPLES through 6.0 has a hardcoded systemi account. A threat actor could use this account to access the system configuration and confidential information (such as SSL keys) via an HTTPS request to the /webapi/ URI on port 443 or 5001.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.918
EPSS Ranking 99.7%
CVSS Severity
CVSS v3 Score 9.8
References
- https://azuremarketplace.microsoft.com/en/marketplace/apps/penta-security-systems-inc.wapples_sa_v6?tab=Overview
- https://medium.com/%40_sadshade/wapples-web-application-firewall-multiple-vulnerabilities-35bdee52c8fb
- https://www.pentasecurity.com/product/wapples/
- https://azuremarketplace.microsoft.com/en/marketplace/apps/penta-security-systems-inc.wapples_sa_v6?tab=Overview
- https://medium.com/%40_sadshade/wapples-web-application-firewall-multiple-vulnerabilities-35bdee52c8fb
- https://www.pentasecurity.com/product/wapples/
Products affected by CVE-2022-35413
-
cpe:2.3:a:pentasecurity:wapples:4.0.54.1
-
cpe:2.3:a:pentasecurity:wapples:5.0.0
-
cpe:2.3:a:pentasecurity:wapples:5.0.0.0
-
cpe:2.3:a:pentasecurity:wapples:5.0.12
-
cpe:2.3:a:pentasecurity:wapples:5.0.12.0
-
cpe:2.3:a:pentasecurity:wapples:6.0.0