Отправить #551790: Consumer Comanda Mobile 14.7.1.4 – 15.0.0.8 Improper Authorization
| Название | Consumer Comanda Mobile 14.7.1.4 – 15.0.0.8 Improper Authorization |
|---|---|
| Описание | Comanda Mobile, a restaurant management application developed by VR Software, contains a critical vulnerability that allows unauthenticated users to access and manipulate restaurant orders (commandas) without proper authorization. The mobile application fails to enforce authentication and access control at the backend level, allowing attackers on the same network to forge HTTP requests and interact with other users' orders (e.g., altering items, generating bills, or deleting entries) without permission. The issue persists across several versions, from x.x.x.x to x.x.x.x and even the new version x.x.x.x, indicating a long-standing design flaw. Impact: 1. Unauthorized access to sensitive customer data 2. Tampering with or deleting orders 3. Financial loss for the business (Eat for Free) 4. Potential legal issues due to non-compliance (e.g., GDPR / LGPD) Exploitation: Access to the same network (e.g., Wi-Fi used by restaurant staff or customers) Reported to vendor in September 2024. No response or patch provided as of April 2025. |
| Источник | ⚠️ https:/ |
| Пользователь | davimo (UID 79678) |
| Представление | 05.04.2025 04:38 (1 Год назад) |
| Модерация | 06.04.2025 14:23 (1 day later) |
| Статус | принято |
| Запись VulDB | 303543 [Consumer Comanda Mobile до 14.9.3.2/15.0.0.8 Restaurant Order Login/Password слабое шифрование] |
| Баллы | 20 |