Starbucks: Singapore - XXE at https://www.starbucks.com.sg/RestApi/soap11

2019-12-20T10:25:48
ID H1:762251
Type hackerone
Reporter rugb
Modified 2020-07-22T16:04:44

Description

rugb discovered the endpoint at https://www.starbucks.com.sg/RestApi/* was found vulnerable to XML eXternal Entity (XXE) processing. This permitted arbitrary reading of files on the remote server. This asset is not rated as critical as it does not contain sensitive data.

@rugb — thank you for reporting this vulnerability and for confirming the resolution.