An authentication bypass vulnerability was found in Stilog Visual Planning 8. It allows an unauthenticated attacker to receive an administrative API token.
The vulnerability (CWE-294 — Authentication Bypass by Capture-replay) consists of the ability to bypass the authentication mechanism in the application's API interface. An unauthorized attacker can send a specially crafted network request and receive an administrative API token in response. The obtained token grants authorization to perform operations reserved exclusively for system administrators.
The attacker gains full administrative access to the application's API, enabling reading and modification of data, as well as potentially taking control over the entire Visual Planning 8 instance.
Patches available from the vendor should be applied according to references — updates are available at https://www.visual-planning.com/en/support-portal/updates
Stilog Visual Planning 8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H