Skip to content

Instantly share code, notes, and snippets.

@exviry
Last active Jun 22, 2021
Embed
What would you like to do?
CVE-2021-35060
------------------------------------------
A payment card number (PAN) enumeration in WAY4 ACS before 1.2.278-2693 can be done due to different error messages.
------------------------------------------
[Additional Information]
During penetration testing of our clients' infrastructure, we discovered vulnerabilities in a third-party software - WAY4 ACS.
3DS card enrollment page (/way4acs/enroll) accepts payment card number (PAN) for input. The application returns two different error messages if the number doesn't exist in the system or if the number exists but isn't ready for 3DS enrollment.
------------------------------------------
[VulnerabilityType Other]
Sensitive data disclosure
------------------------------------------
[Vendor of Product]
OpenWay Group
------------------------------------------
[Affected Product Code Base]
WAY4 ACS before V.1.2.278-2693
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
True
------------------------------------------
[Affected Component]
/way4acs/enroll
-----------------------------------------
[Attack Type]
Remote
------------------------------------------
[Discoverer]
Aleksey Shupletsov
Deiteriy Co. Ltd. (https://deiteriylab.com/)
------------------------------------------
[Reference]
OpenWay Group (https://www.openwaygroup.com/way4-platform)
Aleksey Shupletsov / Deiteriy Co. Ltd. (https://deiteriylab.com/)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment