Hosting Controller 6.1 Hotfix 1.9 and earlier allows remote attackers to register arbitrary users via a direct request to addsubsite.asp with the loginname and password parameters set.
Threat-Mapped Scoring
Score: 3.0
Priority: P2 - Serious (High)
S1 – Steal Customer Account Information
EPSS
Score: 0.02121Percentile:
0.83404
CVSS Scoring
CVSS v2 Score: 7.5
Severity:
Mapped CWE(s)
CWE-425
: Direct Request ('Forced Browsing')
All CAPEC(s)
CAPEC-127 : Directory Indexing
CAPEC-143 : Detect Unpublicized Web Pages
CAPEC-144 : Detect Unpublicized Web Services
CAPEC-668 : Key Negotiation of Bluetooth Attack (KNOB)
CAPEC-87 : Forceful Browsing
CAPEC(s) with Mapped TTPs
CAPEC-127 : Directory Indexing
Mapped TTPs:
T1083
: File and Directory Discovery
CAPEC-668 : Key Negotiation of Bluetooth Attack (KNOB)
Mapped TTPs:
Mapped ATT&CK TTPs
T1083
: File and Directory Discovery
Kill Chain: discovery
T1565.002
: Transmitted Data Manipulation
Kill Chain: impact
Malware
APTs Threat Group Associations
Campaigns
Operation Wocao
SolarWinds Compromise
Operation CuckooBees
Operation Honeybee
Operation Dream Job
C0015
Night Dragon
KV Botnet Activity
Affected Products
cpe:2.3:a:hostingcontroller:hosting_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:hostingcontroller:hosting_controller:6.1:-:*:*:*:*:*:*
cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.0:*:*:*:*:*:*
cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.1:*:*:*:*:*:*
cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.2:*:*:*:*:*:*
cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.3:*:*:*:*:*:*
cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.4:*:*:*:*:*:*
cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.5:*:*:*:*:*:*
cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.6:*:*:*:*:*:*
cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.7:*:*:*:*:*:*
cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.8:*:*:*:*:*:*
cpe:2.3:a:hostingcontroller:hosting_controller:6.1:hotfix1.9:*:*:*:*:*:*
← Back to Home
BrownCoat Threat Intelligence Platform | 2025 Steve Gray — You Can’t Take the Sky from Me