Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneSpaceraccoonH1:788375
HistoryFeb 03, 2020 - 5:32 p.m.

Visma Bug Bounty Program: A user can view the name and number of a customer in another company if the GUID is known

2020-02-0317:32:51
spaceraccoon
hackerone.com
$250
57
JSON

An IDOR vulnerability exists in /api/internal/customerlabels/, allowing an attacker to add a label to a customer in a another company if he has previous knowledge about the UUID. The result is that the name and number of the customer is shown in the attackers context.

As all objects in the API are referenced by UUID (which is impossible to brute-force), IDOR attacks assume some prior knowledge of the UUID, such as a read-only user of a company who wants to execute write actions from their own company.

Steps To Reproduce:
As victim, go to Customers and select a customer you want to be the victim. Take note of the UUID in the URL e.g. https://eaccounting.stage.vismaonline.com/#/sales/customer/01234567-890a-bcde-f012-34567890abcd
As attacker, go to Settings > Customer Labels > Add/Edit a label. Enter valid data, then intercept requests. Click Save. In the intercepted PUT /api/internal/customerlabels request, change the value of connectedCustomers to include the victim UUID. Forward; the request will succeed.
As attacker, edit the label again. The victim customer name and number, which were unknown previously, are now displayed.
The Visma team was quick to respond, triage, and reward. I appreciate Daniel and Martin’s responsiveness that made reporting a seamless process.

JSON