CVE-2023-33291

[Description]
In eBankIT 6, the public endpoints /public/token/Email/generate and
/public/token/SMS/generate allow generation of OTP messages to any email
address or phone number without validation.
------------------------------------------

[Additional Information]
The cookies in the request are not needed, they can be empty.

------------------------------------------

[Vulnerability Type]
Insecure Permissions

------------------------------------------

[Vendor of Product]
eBankIT

------------------------------------------

[Affected Product Code Base]
eBankIT - Version 6

------------------------------------------

[Affected Component]
Public API Endpoint: /public/token/Email/generate
Public API Endpoint: /public/token/SMS/generate

------------------------------------------

[Attack Type]
Remote

------------------------------------------

 [Impact Denial of Service]
 true

------------------------------------------
[CVE Impact Other]
Because these endpoints are public, and the values of the cookies are not
required, a threat actor could potentially leverage this functionality to
create a more realistic social engineering scenario that could potentially
affect clients.

------------------------------------------
[Attack Vectors]
To exploit this vulnerability, an attacker must intercept the request to
the api public endpoint: /public/token/Email/generate or
/public/token/SMS/generate. The attacker can modify the parameters to
choose which email or phone number the OTP would go to. This request can be
used without any type of restriction.

 ------------------------------------------

 [Discoverer]
Steeven Rodríguez