An IDOR in Address Management Book of the "E-commerce Extension" affecting previous version of Meabilis CMS allowed an attacker to expose PII of all users who registered on a website which used Meabilis. The patched version was automatically released to all affected websites.
PoC:
- Create an account on one of the website which use Meabilis CMS
- Go to the endpoint :
/mbCore/users/contacts/load,form.html?contactsId=randomID
- Change
randomID
with a random number - You can view all users PII including full name, address, phone and email.
Discovered by Lucas S., August 2024.
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-44786
- https://www.cve.org/CVERecord?id=CVE-2024-44786
- https://www.nethik.fr
[Vendor of Product] Nethik.fr
[Affected Product Code Base] Meabilis CMS - 1.0 (=<)
[Affected Component] E-commerce Extension - Address Management Book
[Attack Type] Remote
[Impact Information Disclosure] true