Posted by RedTeam Pentesting GmbH on Dec 02

Advisory: Unauthenticated Remote Code Execution in IBM Endpoint Manager
Mobile Device Management Components

During a penetration test, RedTeam Pentesting discovered that several
IBM Endpoint Manager Components are based on Ruby on Rails and use
static secret_token values. With these values, attackers can create
valid session cookies containing marshalled objects of their choosing.
This can be leveraged to execute arbitrary code when…