CERT-In Vulnerability Note
CIVN-2024-0291
Multiple Vulnerabilities in Reedos Mutual Fund Distribution Product (aiM-Star)
Original Issue Date:September 11, 2024
Severity Rating: HIGH
Systems Affected
- Reedos Mutual Fund Distribution Product (aiM-Star) - version 2.0.1
Overview
Multiple vulnerabilities have been reported in Reedos Mutual Fund Distribution Product (aiM-Star), which could allow a remote attacker to perform OTP bombing or parameter tampering or brute force attacks or gain unauthorized access to sensitive information of other user accounts.
Description
1. Improper Authorization Vulnerability
(
CVE-2024-45786
)
This vulnerability exists in Reedos aiM-Star due to improper access controls on its certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter through API request URL which could lead to gain unauthorized access to sensitive information belonging to other users.
2. Information Disclosure Vulnerability
(
CVE-2024-45787
)
This vulnerability exists in Reedos aiM-Star due to transmission of sensitive information in plain text in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter through API request URL and intercepting response of the API request leading to exposure of sensitive information belonging to other users.
3. No Rate Limiting Vulnerability
(
CVE-2024-45788
)
This vulnerability exists in Reedos aiM-Star due to missing rate limiting on OTP requests in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints which could lead to the OTP bombing/flooding on the targeted system.
4. Parameter Tampering Vulnerability
(
CVE-2024-45789
)
This vulnerability exists in Reedos aiM-Star due to improper validation of the "mode" parameter in the API endpoint used during the registration process. An authenticated remote attacker could exploit this vulnerability by manipulating parameter in the API request body on the vulnerable application. Successful exploitation of this vulnerability could allow the attacker to bypass certain constraints in the registration process leading to creation of multiple accounts.
5. User Enumeration Vulnerability
(
CVE-2024-45790
)
This vulnerability exists in Reedos aiM-Star due to missing restrictions for excessive failed authentication attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack against legitimate user passwords, which could lead to gain unauthorized access and compromise other user accounts.
Credit
These vulnerabilities are reported by Mohit Gadiya.
Solution
- Upgrade Reedos Mutual Fund Distribution Product (aiM-Star) to version 2.0.2
Vendor Information
Reedos Software Solutions
https://www.reedos.com/
References
Reedos Software Solutions
https://www.reedos.com/
CVE Name
CVE-2024-45786
CVE-2024-45787
CVE-2024-45788
CVE-2024-45789
CVE-2024-45790
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-22902657
Postal address
Indian Computer Emergency Response Team (CERT-In) Ministry of Electronics and Information Technology Government of India Electronics Niketan 6, CGO Complex, Lodhi Road, New Delhi - 110 003 India
|