| Título | BichitroGan ISP Billing Software 2025.3.20 Insecure Direct Object Reference (IDOR) / Broken Access Control |
|---|
| Descrição | An Insecure Direct Object Reference (IDOR) vulnerability exists in the BichitroGan ISP Billing Software version 2025.3.20.
The endpoint:
?_route=settings/users-view/{id}
does not properly validate user authorization. A low-privileged authenticated user (such as a Sales role) can manipulate the user ID parameter to access other users' account information, including administrative accounts.
By changing the numeric ID in the URL, attackers can enumerate users and retrieve sensitive account information without proper authorization checks.
Example:
https://demo.bichitrogan.com/?_route=settings/users-view/4
Impact:
• Unauthorized access to user information
• Exposure of administrator account details
• User enumeration
• Potential reconnaissance for privilege escalation
The vulnerability occurs due to missing server-side access control validation on the user profile endpoint. |
|---|
| Fonte | ⚠️ https://github.com/4m3rr0r/PoCVulDb/issues/15 |
|---|
| Utilizador | 4m3rr0r (UID 85795) |
|---|
| Submissão | 12/03/2026 10h15 (há 17 dias) |
|---|
| Moderação | 27/03/2026 17h06 (15 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 353953 [BichitroGan ISP Billing Software 2025.3.20 Endpoint users-view ID Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|