-
-
Save exviry/9527ce2ccdc0718d3ffd1e3ca62cf304 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CVE-2021-35060 | |
------------------------------------------ | |
A payment card number (PAN) enumeration in WAY4 ACS before 1.2.278-2693 can be done due to different error messages. | |
------------------------------------------ | |
[Additional Information] | |
During penetration testing of our clients' infrastructure, we discovered vulnerabilities in a third-party software - WAY4 ACS. | |
3DS card enrollment page (/way4acs/enroll) accepts payment card number (PAN) for input. The application returns two different error messages if the number doesn't exist in the system or if the number exists but isn't ready for 3DS enrollment. | |
------------------------------------------ | |
[VulnerabilityType Other] | |
Sensitive data disclosure | |
------------------------------------------ | |
[Vendor of Product] | |
OpenWay Group | |
------------------------------------------ | |
[Affected Product Code Base] | |
WAY4 ACS before V.1.2.278-2693 | |
------------------------------------------ | |
[Has vendor confirmed or acknowledged the vulnerability?] | |
True | |
------------------------------------------ | |
[Affected Component] | |
/way4acs/enroll | |
----------------------------------------- | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[Discoverer] | |
Aleksey Shupletsov | |
Deiteriy Co. Ltd. (https://deiteriylab.com/) | |
------------------------------------------ | |
[Reference] | |
OpenWay Group (https://www.openwaygroup.com/way4-platform) | |
Aleksey Shupletsov / Deiteriy Co. Ltd. (https://deiteriylab.com/) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment