CVE-2023-30455 in ebankITinfo

Summary

by MITRE • 04/28/2023

An issue was discovered in ebankIT before 7. A Denial-of-Service attack is possible through the GET parameter EStatementsIds located on the /Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashx endpoint. The GET parameter accepts over 100 comma-separated e-statement IDs without throwing an error. When this many IDs are supplied, the server takes around 60 seconds to respond and successfully generate the expected ZIP archive (during this time period, no other pages load). A threat actor could issue a request to this endpoint with 100+ statement IDs every 30 seconds, potentially resulting in an overload of the server for all users.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 12/23/2025

This vulnerability exists in the ebankIT software version 7 and earlier, where a denial-of-service condition can be triggered through manipulation of the EStatementsIds GET parameter at the /Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashx endpoint. The flaw stems from insufficient input validation and parameter handling within the web application's statement download functionality. The system accepts an excessive number of comma-separated e-statement IDs without implementing proper bounds checking or rate limiting mechanisms, creating a scenario where legitimate users experience service degradation.

The technical implementation of this vulnerability demonstrates a classic resource exhaustion attack vector where the server's processing capacity becomes overwhelmed by a single malicious request. When more than 100 e-statement IDs are submitted through the EStatementsIds parameter, the system begins processing all these identifiers sequentially, causing a significant delay in response time. The server maintains this high processing load for approximately sixty seconds while generating the expected ZIP archive, during which time all other concurrent user requests are blocked or severely delayed. This behavior indicates a lack of proper concurrency control and resource management within the application's threading model or process handling.

The operational impact of this vulnerability extends beyond simple service disruption to create a potential denial-of-service scenario that affects all users of the ebankIT platform. The attack can be executed repeatedly with minimal resources, as threat actors can submit requests containing 100+ statement IDs every 30 seconds, effectively maintaining a sustained attack that prevents legitimate users from accessing the service. This creates a scenario where the server's processing capacity is consumed by a single malicious request pattern, resulting in cascading failures that impact the entire application's availability and user experience. The vulnerability directly relates to CWE-400, which addresses unchecked resource consumption, and aligns with ATT&CK technique T1499.004 for network denial of service attacks.

Mitigation strategies should focus on implementing robust input validation and parameter limits at the application level, particularly within the vulnerable endpoint. The system should enforce maximum parameter limits for the EStatementsIds parameter, rejecting requests that exceed a predetermined threshold of acceptable e-statement IDs. Additionally, implementing rate limiting mechanisms and connection pooling controls can prevent single requests from monopolizing server resources. The application should also incorporate proper timeout configurations and asynchronous processing capabilities to ensure that long-running operations do not block other concurrent requests. Security measures should include monitoring for unusual parameter patterns and implementing automated alerting when multiple requests containing large numbers of statement IDs are detected. Organizations should also consider implementing API gateway controls and load balancing configurations to distribute requests more effectively and prevent resource exhaustion attacks from affecting the entire system.

Reservation

04/10/2023

Disclosure

04/28/2023

Moderation

accepted

CPE

ready

EPSS

0.01047

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!