Skip to content

Instantly share code, notes, and snippets.

@luluhackme
Last active December 4, 2024 20:23
Show Gist options
  • Save luluhackme/8356703c7295d03d6e68a1ca652441b9 to your computer and use it in GitHub Desktop.
Save luluhackme/8356703c7295d03d6e68a1ca652441b9 to your computer and use it in GitHub Desktop.

CVE-2024-44786 : IDOR in "E-commerce Extension" of Meabilis CMS 1.0 exposing users PII

An IDOR in Address Management Book of the "E-commerce Extension" affecting previous version of Meabilis CMS allowed an attacker to expose PII of all users who registered on a website which used Meabilis. The patched version was automatically released to all affected websites.

PoC:

  • Create an account on one of the website which use Meabilis CMS
  • Go to the endpoint : /mbCore/users/contacts/load,form.html?contactsId=randomID
  • Change randomID with a random number
  • You can view all users PII including full name, address, phone and email.

Discovered by Lucas S., August 2024.

References:

[Vendor of Product] Nethik.fr


[Affected Product Code Base] Meabilis CMS - 1.0 (=<)


[Affected Component] E-commerce Extension - Address Management Book


[Attack Type] Remote


[Impact Information Disclosure] true

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment