Headline
CVE-2021-36436: GitHub - Laransec/Mobicint: Information Disclosure in Mobicint API for Credit Unions
An issue in Mobicint Backend for Credit Unions v3 allows attackers to retrieve partial email addresses and user entered information via submission to the forgotten-password endpoint.
Mobicint
Information Disclosure in Mobicint API for Credit Unions
Summary:
Information regarding members is disclosed unnecessarily to an attacker. This information can be enumerated easily and provide an attacker partial email addresses as well as customer entered information. This can be combined with a member id number to lead to possible account compromise. There is a possibility for further injection but I have not investigated due to lack of a security disclosure program or contact with the company.
Steps To Reproduce:
Post data to the forgot password page in the memberID Field. The ID corresponds to the member number of actual credit union members.
Data is returned. The Label field is user generated and can contain sensitive information if the user has entered it. The address field is partially redacted.
Possible Impacts:
Personal information can be compromised if the customer has entered it into the notes field. Further RCE may be possible as I was able to get a stack trace with some malformed input. I did not continue testing due to lack of documented security testing policies.