Published CVE numbers:
Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control due to Login Credential Leakage via Audit Entries.
The Audit plugin provides a detailed list of the web panel’s operations. When a configuration is updated, the set password is stored in an audit entry and returned without being masked. Due to the missing permission control, the audit plugin may not be accessible to lower-level users.
Authentication: Required (low-level user access is enough)
Due to the vulnerability of CVE-2023-47316, even low-level users can access the Functions tab and the menu item Audit under this tab.
Users can retrieve all details belonging to the given log entry by clicking the search icon.
Affected API call: /rest/plugins/audit/private/log/search
(POST)