CVE-2022-34775

EPSS 0.23%
Veröffentlicht 22.08.2022 15:15:16
Zuletzt bearbeitet 21.11.2024 07:10:09
Quelle cna@cyber.gov.il
CVE-Watchlists
Login
Unerledigt
Login

Tabit - Excessive data exposure. Another endpoint mapped by the tiny url, was one for reservation cancellation, containing the MongoDB ID of the reservation, and organization. This can be used to query the http://tgm-api.tabit.cloud/rsv/management/{reservationId}?organization={orgId} API which returns a lot of data regarding the reservation (OWASP: API3): Name, mail, phone number, the number of visits of the user to this specific restaurant, the money he spent there, the money he spent on alcohol, whether he left a deposit etc. This information can easily be used for a phishing attack.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tabit ≫ Tabit Version < 3.27.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.456

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cna@cyber.gov.il	6.3	2.8	3.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://www.gov.il/en/departments/faq/cve_advisories

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-34775

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-34775

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-34775

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-34775