In eBankIT 6, the public endpoints /public/token/Email/generate and /public/token/SMS/generate allow generation of OTP messages to any email address or phone number without validation.
972d016f9392b59d94e5953a0d7fcae1086a2619511edc6b73d5277ccf8d9e01CVE-2023-33291
[Description]
In eBankIT 6, the public endpoints /public/token/Email/generate and
/public/token/SMS/generate allow generation of OTP messages to any email
address or phone number without validation.
------------------------------------------
[Additional Information]
The cookies in the request are not needed, they can be empty.
------------------------------------------
[Vulnerability Type]
Insecure Permissions
------------------------------------------
[Vendor of Product]
eBankIT
------------------------------------------
[Affected Product Code Base]
eBankIT - Version 6
------------------------------------------
[Affected Component]
Public API Endpoint: /public/token/Email/generate
Public API Endpoint: /public/token/SMS/generate
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Denial of Service]
true
------------------------------------------
[CVE Impact Other]
Because these endpoints are public, and the values of the cookies are not
required, a threat actor could potentially leverage this functionality to
create a more realistic social engineering scenario that could potentially
affect clients.
------------------------------------------
[Attack Vectors]
To exploit this vulnerability, an attacker must intercept the request to
the api public endpoint: /public/token/Email/generate or
/public/token/SMS/generate. The attacker can modify the parameters to
choose which email or phone number the OTP would go to. This request can be
used without any type of restriction.
------------------------------------------
[Discoverer]
Steeven RodrÃguez
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed