| Titel | Eastnets PaymentSafe 2.5.26.0 Improper Authorization |
|---|
| Beschreibung | The application suffers from a Failure to Restrict URL Access vulnerability, allowing unauthorized access to sensitive bank transaction details. An attacker with a valid session can directly access restricted endpoints containing confidential financial data, bypassing intended authorization controls.
Step To reproduce:
1. In the poc, AppSecTest3 user have the access to see the achieved messages while AppSecTest1 user does not have permission of this functionality.
2. Copy and pasting the URL in AppSecTest1 user session gives access to the sensitive details. |
|---|
| Quelle | ⚠️ https://drive.google.com/file/d/1WT5mJwL9NvKxBLIIj7TDbeAq6dchs5Gk/view?usp=sharing |
|---|
| Benutzer | kushkira (UID 60170) |
|---|
| Einreichung | 17.02.2025 11:11 (vor 1 Jahr) |
|---|
| Moderieren | 01.03.2025 08:39 (12 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 298064 [Eastnets PaymentSafe 2.5.26.0 URL /Default.aspx erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|