Wipro Holmes Orchestrator v20.4.1 CVE's
Introduction Recently, I had the opportunity to the pentest the Wipro Holmes Orchestrator v20.4.1 application. During the assessment, I found a few interesting vulnerabilities which are covered in this post. CVE-2021-38146: Arbitrary File Download The Wipro Holmes Orchestrator provides an API endpoint to download various files through the applications such as log files. This functionality is visible only to the logged in users. However, the API itself does not have any authentication required to be called....