| عنوان | Consumer Comanda Mobile 14.7.1.4 – 15.0.0.8 Improper Authorization |
|---|
| الوصف | Comanda Mobile, a restaurant management application developed by VR Software, contains a critical vulnerability that allows unauthenticated users to access and manipulate restaurant orders (commandas) without proper authorization. The mobile application fails to enforce authentication and access control at the backend level, allowing attackers on the same network to forge HTTP requests and interact with other users' orders (e.g., altering items, generating bills, or deleting entries) without permission.
The issue persists across several versions, from x.x.x.x to x.x.x.x and even the new version x.x.x.x, indicating a long-standing design flaw.
Impact:
1. Unauthorized access to sensitive customer data
2. Tampering with or deleting orders
3. Financial loss for the business (Eat for Free)
4. Potential legal issues due to non-compliance (e.g., GDPR / LGPD)
Exploitation:
Access to the same network (e.g., Wi-Fi used by restaurant staff or customers)
Reported to vendor in September 2024. No response or patch provided as of April 2025. |
|---|
| المصدر | ⚠️ https://medium.com/@davimouar/from-order-to-exploit-a-deep-dive-into-restaurant-network-security-64aeaf3a6f64 |
|---|
| المستخدم | davimo (UID 79678) |
|---|
| ارسال | 05/04/2025 04:38 AM (1 سنة منذ) |
|---|
| الاعتدال | 06/04/2025 02:23 PM (1 day later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 303543 [Consumer Comanda Mobile حتى 14.9.3.2/15.0.0.8 Restaurant Order Login/Password تشفير ضعيف] |
|---|
| النقاط | 20 |
|---|