The login page in the Integration Server in Software AG webMethods 10.15.0 before Core Fix7 allows remote attackers to access the administration panel and obtain server hostname and version information by sending a dummy username and blank password to the login URI. By dropping the request to "/admin/navigation/license," attackers can remain logged in and access sensitive details such as the server's real hostname, version info, and administrative API endpoints.