CVE-2022-35413

high-risk
Published 2022-09-13

WAPPLES through 6.0 has a hardcoded systemi account. A threat actor could use this account to access the system configuration and confidential information (such as SSL keys) via an HTTPS request to the /webapi/ URI on port 443 or 5001.

Do I need to act?

!
86.0% chance of exploitation in next 30 days
EPSS score — higher than 14% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Wapples

Affected Vendors

Pentasecurity

References (6)

Patch https://azuremarketplace.microsoft.com/en/marketplace/apps/penta-security-system...
https://medium.com/%40_sadshade/wapples-web-application-firewall-multiple-vulner...
Product https://www.pentasecurity.com/product/wapples/
Patch https://azuremarketplace.microsoft.com/en/marketplace/apps/penta-security-system...
https://medium.com/%40_sadshade/wapples-web-application-firewall-multiple-vulner...
Product https://www.pentasecurity.com/product/wapples/
57
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 20/34 · Moderate
Exposure 5/34 · Minimal