InterMind iMind Server through 3.13.65 allows remote unauthenticated attackers to read the self-diagnostic archive via a direct api/rs/monitoring/rs/api/system/dump-diagnostic-info?server=127.0.0.1 request.
Recent assessments:
trump88 at October 10, 2020 6:25am UTC reported:
Authentication Bypass Vulnerability in Mind Server version <= 3.13.65 allows any user to steal the self-diagnostic archive via a direct request <https://PWND.SITE/api/rs/monitoring/rs/api/system/dump-diagnostic-info?server=127.0.0.1>. The archive contains copies of the main configuration files and event logs of Mind Server portal. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks.
Origin: <https://github.com/trump88/CVE-2020-24765>
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 5