Lucene search

INCDCVELIST:CVE-2022-30628

HistoryJul 21, 2022 - 3:37 p.m.

CVE-2022-30628 Supersmart.me – Walk Through access to business information without authentication

2022-07-2115:37:28

INCD

www.cve.org

supersmart.me

business information

authentication

api

invoice images

security vulnerability

CVSS3

4.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

AI Score

5.7

Confidence

High

EPSS

Percentile

12.6%

JSON

It was possible to download all receipts without authentication. Must first access the API https://XXXX.supersmart.me/services/v4/customer/signin to get a TOKEN. Then you can then access the API that provides invoice images based on the URL https://XXXX.supersmart.me/services/v4/invoiceImg?orderId=XXXXX

CNA Affected

[
  {
    "product": "Supersmart.me – Walk Through",
    "vendor": "Supersmart.me",
    "versions": [
      {
        "lessThan": "Update to the latest version*",
        "status": "affected",
        "version": "Update to the latest version",
        "versionType": "custom"
      }
    ]
  }
]

References

www.gov.il/en/Departments/faq/cve_advisories