The application is vulnerable to an unauthenticated parameter
manipulation that allows an attacker to set the credentials to blank
giving her access to the admin panel. Also vulnerable to account
takeover and arbitrary password change.
Credits
Gjoko Krstic publicly reported these vulnerabilities on the internet after an unsuccessful attempt to contact Electrolink directly.
