7.5

CVE-2025-66573

Exploit

Solstice Pod API Session Key Extraction via API Endpoint

Solstice Pod API (version 5.5, 6.2) contains an unauthenticated API endpoint (`/api/config`) that exposes sensitive information such as the session key, server version, product details, and display name. Unauthorized users can extract live session information by accessing this endpoint without authentication.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MersiveSolstice Pod Firmware Version5.6
   MersiveSolstice Pod Version-
MersiveSolstice Pod Firmware Version6.2
   MersiveSolstice Pod Version-
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.26% 0.176
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
disclosure@vulncheck.com 6.9 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

https://www.exploit-db.com/exploits/52104
Third Party Advisory
Exploit
https://www.mersive.com/
Product
https://documentation.mersive.com/en/solstice/about-solstice.html
Product
https://www.vulncheck.com/advisories/solstice-pod-api-session-key-extraction-via-api-endpoint
Third Party Advisory