إرسال #174635: Rotem Dynamics CRM User / Member Enumeration Vulnerabilityالمعلومات

عنوانRotem Dynamics CRM User / Member Enumeration Vulnerability
الوصفRotem CRM is vulnerable, allowing user enumeration via the OTP URI interface. CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-203: Observable Discrepancy No version details due to closed source and lack of cooperation. Probable to apply to all versions. Example: https://rotemcrm.idfwo.org/LandingPages/api/otp/send?id=[ID][ampersand]method=sms https://rotemcrm.idfwo.org/LandingPages/api/otp/send?id=[ID][ampersand]method=email 1. Replace [ID} with the ID number 2. Replace [ampersand] with the ampersand symbol (prohibited by your vulnerability report form) Successful response (for this implementation): {"Status":"Sent OTP","SentTo":"שמספרו לטלפון אישור קוד נשלח: XXXXXXX123"} Unsuccessful response (user not found): {"תעודת הזהות לא נמצאה, ניתן ליצור קשר בטלפון 03-6918403":"Error {"
المستخدم
 Anonymous User
ارسال27/06/2023 03:27 PM (3 سنوات منذ)
الاعتدال06/07/2023 07:36 PM (9 days later)
الحالةتمت الموافقة
إدخال VulDB233253 [Rotem Dynamics Rotem CRM حتى 20230729 OTP URI Interface send?id=[ID][ampersand]method=sms الكشف عن المعلومات]
النقاط17

Do you know our Splunk app?

Download it now for free!