Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

C2Box 4.0.0(r19171) Validation Bypass

🗓️ 28 Mar 2016 00:00:00Reported by Harish RamadossType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 55 Views

C2Box 4.0.0(r19171) Validation Bypass allowing input of negative value can corrupt business logi

Related
Code
ReporterTitlePublishedViews
Family
CNVD		B.A.S C2Box Security Bypass Vulnerability
30 Mar 201600:00
cnvd
CVE		CVE-2015-4626
23 Jan 201721:00
cve
Cvelist		CVE-2015-4626
23 Jan 201721:00
cvelist
EUVD		EUVD-2015-4645
7 Oct 202500:30
euvd
NVD		CVE-2015-4626
23 Jan 201721:59
nvd
Prion		Design/Logic Flaw
23 Jan 201721:59
prion
`#####################################  
Title: Validation Bypass in C2Box application allows user to input negative value  
Author: Harish Ramadoss   
Vendor: boxautomation(B.A.S)  
Product: C2Box  
Version: All versions below 4.0.0(r19171)  
Tested Version: Version 4.0.0(r19171)  
Severity: Medium  
CVE Reference: 2015-4626  
  
# About the Product:  
B.A.S C2Box provides global solutions enabling full control and visibility over cash positions and managing domestic or cross border payment processes.  
  
# Description:  
Performing validation in client side code, generally JavaScript, provides no protection for server-side code. An attacker can simply disable JavaScript use a security testing proxy such as BurpSuite to bypass the client side validation. Invalidated input might corrupt business logic.  
  
# Vulnerability Class:  
Unvalidated Input - https://www.owasp.org/index.php/Unvalidated_Input  
  
# How to Reproduce: (POC):  
While creating an overdraft using the overdraft editor form on C2Box application disable JavaScript to disable client side validation and the value can be intercepted using a proxy and negative value can be inserted corrupting the business logic.   
  
# Disclosure:  
Discovered: June 10, 2015  
Vendor Notification: June 10, 2015  
Advisory Publication: Mar 28, 2016  
Public Disclosure: Mar 28, 2016  
  
# Solution:  
Upgrade to the latest Build will fix this issue.  
The new version number is 15.6.22  
Release date: June 22, 2015  
  
# credits:  
Harish Ramadoss  
Senior Security Analyst  
Help AG Middle East  
  
#References:  
[1] help AG middle East http://www.helpag.com/.  
[2] http://www.boxautomation.com/.  
[3] https://www.owasp.org/index.php/Unvalidated_Input  
[4] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Mar 2016 00:00Current
7.7High risk
Vulners AI Score7.7
EPSS0.0024
c2boxvalidation bypassnegative valueserver-side codeunvalidated inputburpsuiteproxyjavascriptsecurity testingupgradehelp ag middle eastcve reference
55