The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform.
The vulnerability stems from an improper authentication mechanism (CWE-287) in the BLUVOYIX system's backend APIs. An attacker can exploit it by sending specially crafted HTTP requests directly to vulnerable API endpoints. Because the authentication mechanism is flawed, such requests are accepted and processed without verifying the sender's identity. The attack does not require possession of any credentials or user interaction.
An attacker can gain full access to data of all clients stored on the platform and completely compromise the target system, including its resources and integrity.
Apply patches available from the manufacturer in accordance with references. As a temporary measure, it is recommended to restrict access to BLUVOYIX backend APIs at the firewall level to trusted sources only and monitor logs for unauthorized API requests.
Blusparkglobal BLUVOYIX platform — versions specified in manufacturer's references.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:RedBlusparkglobal Bluvoyix
APPBlusparkglobalwszystkie wersje
Related vulnerabilities
Ujawnienie wewnętrznej dokumentacji API w Blusparkglobal BLUVOYIX
Brak uwierzytelnienia w admin API Blusparkglobal BLUVOYIX — pełne przejęcie platformy
Blusparkglobal Bluvoyix — niekontrolowane wysyłanie e-maili przez API
BLUVOYIX: ujawnienie haseł w postaci jawnej przez nieuwierzytelnione API