CVE-2023-28346
HIGHFaronics Insight 10.0.19045 - Unauthenticated Access to Private API Endpoints via Virtual Host Routing Bypass
Title source: llmDescription
An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for a remote attacker to communicate with the private API endpoints exposed at /login, /consoleSettings, /console, etc. despite Virtual Host Routing being used to block this access. Remote attackers can interact with private pages on the web server, enabling them to perform privileged actions such as logging into the console and changing console settings if they have valid credentials.
References (2)
Core 2
Core References
Exploit, Mitigation, Release Notes, Third Party Advisory
https://research.nccgroup.com/2023/05/30/technical-advisory-multiple-vulnerabilities-in-faronics-insight/
Third Party Advisory
https://research.nccgroup.com/?research=Technical%20advisories
Scores
CVSS v3
7.3
EPSS
0.0088
EPSS Percentile
54.4%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-732
Status
published
Products (1)
faronics/insight
10.0.19045
Published
May 31, 2023
Tracked Since
Feb 18, 2026