An IDOR in Address Management Book of the "E-commerce Extension" affecting previous version of Meabilis CMS allowed an attacker to expose PII of all users who registered on a website which used Meabilis. The patched version was automatically released to all affected websites.
PoC:
- Create an account on one of the website which use Meabilis CMS
- Go to the endpoint :
/mbCore/users/contacts/load,form.html?contactsId=randomID - Change
randomIDwith a random number - You can view all users PII including full name, address, phone and email.