CVE-2021-35337 in Phone Shop Sales Managements Systeminfo

Summary

by MITRE • 07/01/2021

Sourcecodester Phone Shop Sales Managements System 1.0 is vulnerable to Insecure Direct Object Reference (IDOR). Any attacker will be able to see the invoices of different users by changing the id parameter.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2021

The vulnerability identified as CVE-2021-35337 affects the Sourcecodester Phone Shop Sales Management System version 1.0, which exhibits a critical Insecure Direct Object Reference flaw that compromises user data confidentiality and system integrity. This vulnerability stems from improper input validation and access control mechanisms within the application's invoice retrieval functionality, where the system fails to properly authenticate and authorize user requests before exposing sensitive data. The flaw manifests when an attacker manipulates the id parameter in the application's URL or API calls to access invoices belonging to other users, effectively bypassing the intended authorization controls that should restrict data access to legitimate users only.

This vulnerability directly maps to CWE-639, which defines Insecure Direct Object Reference as a condition where the application provides direct access to objects based on user-supplied input without proper authorization checks. The attack vector leverages the predictable nature of object references within the system, allowing unauthorized access to sensitive financial data including customer information, transaction details, and sales records. The severity of this flaw extends beyond simple data exposure, as it enables potential attackers to gain comprehensive insights into the business operations, customer behavior patterns, and financial transactions of the organization.

The operational impact of this vulnerability is substantial, as it creates a persistent risk for data breaches and potential financial fraud. Attackers can exploit this weakness to access confidential invoices, customer personal information, and sales data without requiring legitimate credentials or elevated privileges. This unauthorized access capability violates fundamental security principles of data protection and privacy, potentially leading to identity theft, financial fraud, and regulatory compliance violations. The vulnerability also undermines the trust relationship between the business and its customers, as sensitive transactional data becomes accessible to unauthorized parties through simple parameter manipulation techniques.

Mitigation strategies for this vulnerability should focus on implementing robust access control mechanisms that validate user permissions before serving any requested objects. The system must enforce proper authentication and authorization checks at every request level, ensuring that users can only access resources they are authorized to view. This includes implementing parameter validation, session management controls, and role-based access restrictions that prevent direct object reference manipulation. Organizations should also consider implementing input sanitization techniques, logging and monitoring access attempts, and conducting regular security assessments to identify and remediate similar vulnerabilities. The remediation approach aligns with ATT&CK technique T1213.002 for data access and emphasizes the importance of proper access control implementation as outlined in the OWASP Top Ten security framework. Additionally, the system should incorporate proper error handling and response codes that do not reveal information about the existence of objects or users, preventing attackers from enumerating valid resource identifiers through automated scanning techniques.

Reservation

06/23/2021

Disclosure

07/01/2021

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00818

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!