Ausnahme gefangen: SSL certificate problem: certificate is not yet valid ๐Ÿ“Œ Visma Bug Bounty Program: A user can view the name and number of a customer in another company if the GUID is known
Team IT Security Nachrichtenportal Logo

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security
RSS Feed Symbol fรผr Team IT Security 800+ IT News als RSS Feed abonnieren



๐Ÿ“š Visma Bug Bounty Program: A user can view the name and number of a customer in another company if the GUID is known


๐Ÿ’ก Newskategorie: Sicherheitslรผcken
๐Ÿ”— Quelle: vulners.com


image
An IDOR vulnerability exists in /api/internal/customerlabels/, allowing an attacker to add a label to a customer in a another company if he has previous knowledge about the UUID. The result is that the name and number of the customer is shown in the attackers context. As all objects in the API are referenced by UUID (which is impossible to brute-force), IDOR attacks assume some prior knowledge of the UUID, such as a read-only user of a company who wants to execute write actions from their own company. Steps To Reproduce: As victim, go to Customers and select a customer you want to be the victim. Take note of the UUID in the URL e.g. https://eaccounting.stage.vismaonline.com/#/sales/customer/01234567-890a-bcde-f012-34567890abcd As attacker, go to Settings > Customer Labels > Add/Edit a label. Enter valid data, then intercept requests. Click Save. In the intercepted PUT /api/internal/customerlabels request, change the value of connectedCustomers to include the victim UUID. Forward; the request will succeed. As attacker, edit the label again. The victim customer name and number, which were unknown previously, are now displayed. The Visma team was quick to respond, triage, and reward. I appreciate Daniel and Martin's responsiveness that made reporting a seamless... ...



Sharing is caring on Social Media

๐Ÿ”— Reddit
๐Ÿ”— Telegram
๐Ÿ”— LinkedIn
๐Ÿ”— Xing
๐Ÿ”— Twitter
๐Ÿ”— Whatsapp
๐Ÿ”— Facebook
๐Ÿ”— Flipboard

Join the Team IT Security Community

๐Ÿ”— "IT Sicherheit" Reddit-Gruppe
๐Ÿ”— "IT Sicherheit" Telegramm-Seite

๐Ÿ“Œ Visma Bug Bounty Program: A user can view the name and number of a customer in another company if the GUID is known


๐Ÿ“ˆ 145.2 Punkte

๐Ÿ“Œ Visma Bug Bounty Program: [IDOR]Ability to View/Delete/Edit (Forward to attachment archive) Email of other user if GUID is known.


๐Ÿ“ˆ 95.46 Punkte

๐Ÿ“Œ Visma Bug Bounty Program: [IDOR]Ability to View/Delete/Edit (Forward to attachment archive) Email of other user if GUID is known.


๐Ÿ“ˆ 95.46 Punkte

๐Ÿ“Œ Visma Bug Bounty Program: [IDOR]Ability to Pause & Resume the Invoice of other users If GUID is known.


๐Ÿ“ˆ 80.66 Punkte

๐Ÿ“Œ Visma Bug Bounty Program: [IDOR]Ability to Pause & Resume the Invoice of other users If GUID is known.


๐Ÿ“ˆ 80.66 Punkte

๐Ÿ“Œ Visma Bug Bounty Program: Open Redirection In connect.identity.stagaws.visma.com


๐Ÿ“ˆ 67.84 Punkte

๐Ÿ“Œ Visma Bug Bounty Program: A 'Read only' user can modify the company logotype and invoice background image


๐Ÿ“ˆ 64.75 Punkte

๐Ÿ“Œ Visma Bug Bounty Program: A non-administrator user can change his email even when it is restricted by an administrator


๐Ÿ“ˆ 55.19 Punkte

๐Ÿ“Œ Visma Bug Bounty Program: Stored XSS in 'Notes'


๐Ÿ“ˆ 44.86 Punkte

๐Ÿ“Œ Visma Bug Bounty Program: Administration page visible without authentication


๐Ÿ“ˆ 44.86 Punkte

๐Ÿ“Œ Visma Bug Bounty Program: SSRF in img export


๐Ÿ“ˆ 44.86 Punkte

๐Ÿ“Œ Visma Bug Bounty Program: [IDOR]Ability to edit Description of api_key's of other users.


๐Ÿ“ˆ 44.86 Punkte

๐Ÿ“Œ Visma Bug Bounty Program: Unrestricted file upload when creating quotes allows for Stored XSS


๐Ÿ“ˆ 44.86 Punkte

๐Ÿ“Œ Visma Bug Bounty Program: Stored XSS when uploading files to an invoice


๐Ÿ“ˆ 44.86 Punkte

๐Ÿ“Œ Visma Bug Bounty Program: HTML-injection in PDF-export leads to LFI


๐Ÿ“ˆ 44.86 Punkte

๐Ÿ“Œ Bug Bounty Field Manual: The Definitive Guide for Planning, Launching, and Operating a Successful Bug Bounty Program


๐Ÿ“ˆ 37.58 Punkte

๐Ÿ“Œ Bug Bounty Field Manual: The Definitive Guide for Planning, Launching, and Operating a Successful Bug Bounty Program


๐Ÿ“ˆ 37.58 Punkte

๐Ÿ“Œ [Bug Bounty Hacker] Yahoo Bug Bounty Program 2016 - Sender Spoofing Vulnerability


๐Ÿ“ˆ 35.79 Punkte

๐Ÿ“Œ Bug Bounty Platforms [Best Choices For a Bug Bounty Program]


๐Ÿ“ˆ 35.79 Punkte

๐Ÿ“Œ Bug Bounty Benefits | Why You Need a Bug Bounty Program


๐Ÿ“ˆ 35.79 Punkte

๐Ÿ“Œ What's the worst that someone can do if some server accidentally leaked my face pic, my facial recognition data, my ID pics and all my generic data (name, last name, residence, social security number and so on)?


๐Ÿ“ˆ 34 Punkte

๐Ÿ“Œ Redditโ€™s Public Bug Bounty Program Kicks Off: Q&A with Redditโ€™s Allison Miller and Spencer Koch, and top program hacker @renekroka


๐Ÿ“ˆ 33.39 Punkte

๐Ÿ“Œ Reddit's Bug Bounty Program Kicks Off: Q&A with Reddit's Allison Miller and Spencer Koch, and Top Program Hacker @RENEKROKA


๐Ÿ“ˆ 33.39 Punkte

๐Ÿ“Œ Visma Public: Read-only user can access payroll information without having access to payroll.


๐Ÿ“ˆ 33.32 Punkte

๐Ÿ“Œ Visma Public: A sales only user can edit the purchase invoice drafts.


๐Ÿ“ˆ 33.32 Punkte

๐Ÿ“Œ HackerOne: Private program name disclosure in the invitation mail for another program


๐Ÿ“ˆ 32.89 Punkte

๐Ÿ“Œ Blockchain Bug Bounty: Melonport AG is running a 1week bug bounty where you can earn up to MLN 5000 (app. CHF 130k at the time of writing) for finding vulnerabilities in the code. Good luck!


๐Ÿ“ˆ 32.37 Punkte

๐Ÿ“Œ Oath Bug Bounty Program Update: $1M in payouts and expansion of the program


๐Ÿ“ˆ 31.61 Punkte

๐Ÿ“Œ Oath Bug Bounty Program Update: $1M in payouts and expansion of the program


๐Ÿ“ˆ 31.61 Punkte

๐Ÿ“Œ Is there any way of storing user name and passwords on a 'secure element', some type of secure chip rather than in the software of the browser if wanting to store user name and password for easy access to certain accounts?


๐Ÿ“ˆ 31.07 Punkte

๐Ÿ“Œ Dropcontact: API key is not validated for C.R.M integration [Pipedrive] of LOGGED IN USER, A user can use another USER'S API key for this operation.


๐Ÿ“ˆ 30.99 Punkte

๐Ÿ“Œ Google Expands Scope of One Bug Bounty Program, Launches Another


๐Ÿ“ˆ 30.92 Punkte

๐Ÿ“Œ My younger brother downloaded a program known as "Game.lol", which I believe is a program that lets you play mobile games, since alongside it was the game Geometry Dash World. Is it dangerous, and how do I remove it?


๐Ÿ“ˆ 30.03 Punkte

๐Ÿ“Œ Bugtraq: Facebook Bug Bounty #33 - Bypass ID user to linked Phone Number Vulnerability


๐Ÿ“ˆ 29.72 Punkte

๐Ÿ“Œ Bugtraq: Facebook Bug Bounty #33 - Bypass ID user to linked Phone Number Vulnerability


๐Ÿ“ˆ 29.72 Punkte











matomo

Kontakt

24/7 kontakt@tsecurity.de

Weitere Informationen

Google Android Playstore Download Button fรผr Team IT Security
๐Ÿ”— Impressum
๐Ÿ”— Datenschutz
Paypal Spenden fรผr Projekt

Social Media

๐Ÿ”— Facebook
๐Ÿ”— Reddit
๐Ÿ”— Team IT Security als Elektron App
๐Ÿ”— © 2015-2023 Team IT Security Nachrichtenportal รผber Cybersecurity
๐Ÿ”— CMS "myDraft" a PHP Portal Software