Hardcoded credentials

2022-09-1322:15:00

PRIOn knowledge base

www.prio-n.com

9.2 High

AI Score

Confidence

High

0.799 High

EPSS

Percentile

98.3%

JSON

WAPPLES through 6.0 has a hardcoded systemi account. A threat actor could use this account to access the system configuration and confidential information (such as SSL keys) via an HTTPS request to the /webapi/ URI on port 443 or 5001.

CPENameOperatorVersion
wapplesge4.0.54.1
wapplesle6.0.0

CPE	Name	Operator	Version
	wapples	ge	4.0.54.1
	wapples	le	6.0.0

References

azuremarketplace.microsoft.com/en/marketplace/apps/penta-security-systems-inc.wapples_sa_v6?tab=Overview

medium.com/@_sadshade/wapples-web-application-firewall-multiple-vulnerabilities-35bdee52c8fb

www.pentasecurity.com/product/wapples/