The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in to the newly-created admin user.
An attacker sends specially crafted HTTP requests to vulnerable admin API endpoints without needing to possess any authentication credentials. As a result, it is possible to create a new user with administrator privileges. After creating such an account, the attacker logs into it and gains full access to the platform and client data. The vulnerability results from the lack of authentication mechanism (CWE-306) and improper privilege management (CWE-269) within the admin API.
An attacker can gain full access to data of all clients and completely take over control of the BLUVOYIX platform, including managing its configuration and users with administrator privilege level.
Apply patches available from the vendor according to the references. Until the patch is implemented, it is recommended to block access to admin API endpoints at the firewall or network level, so they are accessible only from trusted IP addresses.
Blusparkglobal's BLUVOYIX product — versions indicated in the vendor's references
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:H/U:RedBlusparkglobal Bluvoyix
APPBlusparkglobalwszystkie wersje
Related vulnerabilities
Pominięcie uwierzytelnienia w Blusparkglobal BLUVOYIX (Auth Bypass)
Ujawnienie wewnętrznej dokumentacji API w Blusparkglobal BLUVOYIX
Blusparkglobal Bluvoyix — niekontrolowane wysyłanie e-maili przez API
BLUVOYIX: ujawnienie haseł w postaci jawnej przez nieuwierzytelnione API