CVE-2020-24765
Authentication Bypass Vulnerability in Mind Server version <= 3.13.65 allows any user to steal the self-diagnostic archive via a direct request.
CVSS v2: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS v2 Score (BS): 5
CVSS v3: (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVSS v3 Score (BS): 5.3
Information
Description: Authentication Bypass Vulnerability allows any user to steal the self-diagnostic archive via a direct request https://PWND.SITE/api/rs/monitoring/rs/api/system/dump-diagnostic-info?server=127.0.0.1. The archive contains copies of the main configuration files and event logs of Mind Server portal. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks.
Class: Design Error
Researcher: Vadim Golovanov (https://github.com/trump88/)
Issue date: 2020-07-06 (Initial Advisory)
Public release: 2020-10-08
Disclosure Link:
NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2020-24765
POC
An example of vector: the official site of Vendor
https://vcs.imind.ru/api/rs/monitoring/rs/api/system/dump-diagnostic-info?server=127.0.0.1