Headline
eBankIT 6 Arbitrary OTP Generation
In eBankIT 6, the public endpoints /public/token/Email/generate and /public/token/SMS/generate allow generation of OTP messages to any email address or phone number without validation.
CVE-2023-33291
[Description]
In eBankIT 6, the public endpoints /public/token/Email/generate and
/public/token/SMS/generate allow generation of OTP messages to any email
address or phone number without validation.
[Additional Information]
The cookies in the request are not needed, they can be empty.
[Vulnerability Type]
Insecure Permissions
[Vendor of Product]
eBankIT
[Affected Product Code Base]
eBankIT - Version 6
[Affected Component]
Public API Endpoint: /public/token/Email/generate
Public API Endpoint: /public/token/SMS/generate
[Attack Type]
Remote
[Impact Denial of Service]
true
[CVE Impact Other]
Because these endpoints are public, and the values of the cookies are not
required, a threat actor could potentially leverage this functionality to
create a more realistic social engineering scenario that could potentially
affect clients.
[Attack Vectors]
To exploit this vulnerability, an attacker must intercept the request to
the api public endpoint: /public/token/Email/generate or
/public/token/SMS/generate. The attacker can modify the parameters to
choose which email or phone number the OTP would go to. This request can be
used without any type of restriction.
[Discoverer]
Steeven Rodríguez
Related news
In ebankIT 6, the public endpoints /public/token/Email/generate and /public/token/SMS/generate allow generation of OTP messages to any e-mail address or phone number without validation. (It cannot be exploited with e-mail addresses or phone numbers that are registered in the application.)