{"id":80533,"date":"2026-06-13T21:46:22","date_gmt":"2026-06-13T18:16:22","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-12183-nefteprodukttekhnika-buk-ts-g-improper-authentication\/"},"modified":"2026-06-13T21:46:22","modified_gmt":"2026-06-13T18:16:22","slug":"cve-2026-12183-nefteprodukttekhnika-buk-ts-g-improper-authentication","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-12183-nefteprodukttekhnika-buk-ts-g-improper-authentication\/","title":{"rendered":"CVE-2026-12183 &#8211; Nefteprodukttekhnika BUK TS-G Improper Authentication"},"content":{"rendered":"<p>CVE ID :CVE-2026-12183<\/p>\n<p>  Published : June 13, 2026, 6:16 p.m. | 1\u00a0hour, 24\u00a0minutes ago<\/p>\n<p>  Description :Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The \/php\/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&amp;login=&amp;pwd=), and subsequent privileged endpoints under \/php\/ajax-main.php and \/modules\/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.<\/p>\n<p>  Severity: 9.8 | CRITICAL<\/p>\n<p>  Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID :CVE-2026-12183 Published : June 13, 2026, 6:16 p.m. | 1\u00a0hour, 24\u00a0minutes ago Description :Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The \/php\/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-80533","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/80533","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=80533"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/80533\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=80533"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=80533"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=80533"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}