Çalışıyor A critical security vulnerability in the Omnissa Workspace ONE system (CVSS score 10.0 — Critical).

[Administrator]

[Security] Path Traversal-like Access Vulnerability in API Endpoint (system-app-metadata)

Just a reminder: any testing of this kind should always be done in a controlled environment and only on systems where you have explicit permission.

By utilizing the sample attack command, all information—such as home addresses, full names, email addresses, and phone numbers—pertaining to every user (Directory) registered within Omnissa Workspace ONE is exposed.

Additional payloads and test results are anticipated; specifically, beyond mere information gathering, it may be possible to obtain API tokens and access credentials to remotely issue device wipe commands, or to execute comprehensive modifications across the global Organization Group (OG).

If u are looking for more attack payloads in this topic, or u affected pls dm

Attach payload

"
/DevicesGateway/apps/system-app-metadata/1?packageId=../../../../API/system/users/search%3fpagesize=100

"

For full version , U can use device server hostname, if 2001 port giving ok status that domain is device server .

This link is hidden from visitors. To view it, please... login or register.

packageId=../../../../API/system/users/search%3fpagesize=100



There's a security issue in a part of our system that handles app data. Basically, when someone gives the system a "packageId" – which is supposed to identify an app – the system isn't checking it carefully enough. This lets people get to other parts of the system they shouldn't be able to see.

Think of it like this: the system expects you to ask for "app 1." But because it's not strict, you can ask for "app 1, but then look three folders up and then go into the users folder."


What should happen is pretty simple: the packageId should only accept actual app IDs. And nobody should be able to jump to other areas outside of what that system app is supposed to manage.

But right now, someone can use special characters like "dot-dot-slash" to move around different folders. They can also use encoded characters to make the system redirect to completely different parts of the API, like the one that lists all our users. This means they can access information that should be private.

If this happens, it could lead to a few problems:
Someone could see our entire list of users without permission.
Internal parts of our system, which should be hidden, might become visible.
Private user details could get out.
And this could even be the first step in bigger, more complex attacks.

 

[Feverone]

Good article