Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass. This issue affects Elektraweb: before v17.0.68.
The vulnerability involves three related weaknesses (CWE-306, CWE-552, CWE-798): lack of user identity verification before access to protected resources, possibility of direct access to files or directories by external users, and presence of hardcoded credentials embedded in the application. The combination of these three vectors allows an attacker to bypass authentication mechanisms without knowledge of correct access credentials. The attack is possible remotely over the network, requires no privileges and no user interaction.
An attacker can obtain unauthorized, full access to the Elektraweb system, leading to violations of data confidentiality, integrity, and availability (CVSS score: C:H/I:H/A:H). In practice, this means the ability to read, modify, or delete data managed by the system.
Immediately update the Elektraweb system to version v17.0.68 or later. Until the patch is deployed, it is recommended to restrict network access to the system exclusively to trusted internal networks or apply firewall rules blocking external access.
Talya Informatics Elektraweb — all versions before v17.0.68
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H