i-doit Pro 25 and below are vulnerable to Hardcoded admin credential vulnerability. These vulnerabilities could allows anyone to login as admin with just username “admin” and password “admin”.

Description of product: i-doit is a web based Open Source IT documentation and CMDB (Configuration Management Database) developed by synetics GmbH. i-doit Pro is the commercial version of the software and requires a paid license. It comes with additional features, professional support, and regular updates and enhancements. Users need to purchase a license to use i-doit Pro, and the cost varies based on the number of users and features required.

Description of vulnerability: We found that this web application has hardcoded admin credential that allows anyone login as admin with just username “admin” and password “admin”

Affected Webpage: main login page

Affected parameter & Component : main login page

Step 1 : there is no option for application owner to setup admin credential in initial setup page

#admin-center is for application owner to manage license, upload plugins, manage tenant and etc.