This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In UBIKA WAAP Gateway/Cloud through 6.10, a blind XPath injection leads to an authentication bypass by stealing the session of another connected user. | |
As a basic security requirement and also to prevent this attack, we strongly recommend that the administration interface (running on port 3001/tcp) is restricted to administrators only (by source IP fire-walling or admin VLAN segregation). | |
The fixed versions are WAAP Gateway & Cloud 6.11.0 and 6.5.6-patch15. | |
A patch (cpt) is available for versions prior to 6.11 and 6.5.6-patch15. |