Vendor: ITB-GmbH
Affected Products: TradePro (v9.5)
Component: Function Customer; Action oordershow
Confirmed: yes
Type: Incorrect Access Control
Access-Type: Remote
Impact: Information Disclosure
Incorrect Access Control in function customer, action oordershow in ITB-GmbH
TradePro v9.5 allows remote attackers to receive all orders from the online shop by passing arbitrary order numbers to an http(s) endpoint.
The bestellid should be known beforehand but can be enumerated easily or by using an SQLi (see Report CVE-2023-36645)
Calling http(s)://[DOMAIN]/shop/de/sys/?func=customer&action=oordershow&wkid=[COOKIE]&bestellid=[BESTELL_ID] with a valid but unauthenticated session cookie gives the attacker access to all orders.
Score: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P
-
Lynn
-
Jadyn