Skip to content

Instantly share code, notes, and snippets.

@exviry

exviry/CVE-2021-35060 Secret

Last active June 22, 2021 08:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save exviry/9527ce2ccdc0718d3ffd1e3ca62cf304 to your computer and use it in GitHub Desktop.
Save exviry/9527ce2ccdc0718d3ffd1e3ca62cf304 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
CVE-2021-35060
CVE-2021-35060
------------------------------------------
A payment card number (PAN) enumeration in WAY4 ACS before 1.2.278-2693 can be done due to different error messages.
------------------------------------------
[Additional Information]
During penetration testing of our clients' infrastructure, we discovered vulnerabilities in a third-party software - WAY4 ACS.
3DS card enrollment page (/way4acs/enroll) accepts payment card number (PAN) for input. The application returns two different error messages if the number doesn't exist in the system or if the number exists but isn't ready for 3DS enrollment.
------------------------------------------
[VulnerabilityType Other]
Sensitive data disclosure
------------------------------------------
[Vendor of Product]
OpenWay Group
------------------------------------------
[Affected Product Code Base]
WAY4 ACS before V.1.2.278-2693
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
True
------------------------------------------
[Affected Component]
/way4acs/enroll
-----------------------------------------
[Attack Type]
Remote
------------------------------------------
[Discoverer]
Aleksey Shupletsov
Deiteriy Co. Ltd. (https://deiteriylab.com/)
------------------------------------------
[Reference]
OpenWay Group (https://www.openwaygroup.com/way4-platform)
Aleksey Shupletsov / Deiteriy Co. Ltd. (https://deiteriylab.com/)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment