The vulnerability exists in BLUVOYIX due to the exposure of sensitive internal API documentation. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the APIs exposed by the documentation. Successful exploitation of this vulnerability could allow the attacker to cause damage to the targeted platform by abusing internal functionality.
Internal API documentation is available without authentication, revealing details about the operation and structure of the product's programming interfaces. An unauthenticated attacker remotely sends specially crafted HTTP requests to the endpoints described in this documentation. By abusing the disclosed internal functions, it is possible to cause damage to the attacked platform.
An attacker can remotely abuse internal functions of the BLUVOYIX platform without any authentication, causing damage to its operation, data integrity, and service availability. Due to full impact on the confidentiality, integrity, and availability of both the target system and related systems, the consequences may be critical in nature.
Patches available from the manufacturer should be applied according to references. Additionally, it is recommended to restrict access to API documentation exclusively for authenticated and authorized users, and to monitor HTTP traffic directed to internal API endpoints.
Blusparkglobal BLUVOYIX product — specific versions were not indicated in the description; details available in manufacturer references.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:AmberBlusparkglobal Bluvoyix
APPBlusparkglobalwszystkie wersje
Related vulnerabilities
Pominięcie uwierzytelnienia w Blusparkglobal BLUVOYIX (Auth Bypass)
Brak uwierzytelnienia w admin API Blusparkglobal BLUVOYIX — pełne przejęcie platformy
Blusparkglobal Bluvoyix — niekontrolowane wysyłanie e-maili przez API
BLUVOYIX: ujawnienie haseł w postaci jawnej przez nieuwierzytelnione API