CERT-In Vulnerability Note
CIVN-2024-0313
Multiple Vulnerabilities in Shilpi products
Original Issue Date:October 04, 2024
Severity Rating: HIGH
Systems Affected
- Client Dashboard versions prior to 9.7.0
- Net Back Office versions prior to 5.5.002
Overview
Multiple vulnerabilities have been reported in Shilpi products, which could allow a remote attacker to perform user enumeration, bypass OTP verification, unauthorized transaction manipulation or gain unauthorized access to sensitive information of other user accounts.
Description
1. Parameter Pollution Vulnerability
(
CVE-2024-47651
)
This vulnerability exists in Client Dashboard due to improper handling of multiple parameters in the API endpoint. An authenticated remote attacker could exploit this vulnerability by including multiple "userid" parameters in the API request body leading to unauthorized access of sensitive information belonging to other users.
2. Insecure Authentication Vulnerability
(
CVE-2024-47652
)
This vulnerability exists in Client Dashboard due to implementation of inadequate authentication mechanism in the login module wherein access to any users account is granted with just their corresponding mobile number. A remote attacker could exploit this vulnerability by providing mobile number of targeted user, to obtain complete access to the targeted user account.
3. Missing Authorization Vulnerability
(
CVE-2024-47653
)
This vulnerability exists in Client Dashboard due to lack of authorization for modification and cancellation requests through certain API endpoints. An authenticated remote attacker could exploit this vulnerability by placing or cancelling requests through API request body leading to unauthorized modification of requests belonging to the other users.
4. No Rate Limiting vulnerability
(
CVE-2024-47654
)
This vulnerability exists in Client Dashboard due to lack of rate limiting and Captcha protection for OTP requests in certain API endpoint. An unauthenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints, which could lead to the OTP bombing on the targeted system.
5. Unrestricted File Upload Vulnerability
(
CVE-2024-47655
)
This vulnerability exists in the Client Dashboard due to improper validation of files being uploaded other than the specified extension. An authenticated remote attacker could exploit this vulnerability by uploading malicious file, which could lead to remote code execution on targeted application.
6. User Enumeration vulnerability
(
CVE-2024-47656
)
This vulnerability exists in Client Dashboard due to missing restrictions for incorrect login attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack on password, which could lead to gain unauthorized access to other user accounts.
7. Improper Access Control Vulnerability
(
CVE-2024-47657
)
This vulnerability exists in the Net Back Office due to improper access controls on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter "dfclientid" through API request URLs which could lead to unauthorized access to sensitive information belonging to other users.
Credit
These vulnerabilities are reported by Mohit Gadiya.
Solution
Upgrade Client Dashboard to version 9.7.0 and Net Back Office to version 5.5.002
Vendor Information
Shilpi Computers
https://mailchi.mp/shilpisoft/shilpi-alert-client-dashboard-685365
References
Shilpi Computers
https://mailchi.mp/shilpisoft/shilpi-alert-client-dashboard-685365
https://shilpisoft.com/
CVE Name
CVE-2024-47651
CVE-2024-47652
CVE-2024-47653
CVE-2024-47654
CVE-2024-47655
CVE-2024-47656
CVE-2024-47657
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-22902657
Postal address
Indian Computer Emergency Response Team (CERT-In) Ministry of Electronics and Information Technology Government of India Electronics Niketan 6, CGO Complex, Lodhi Road, New Delhi - 110 003 India
|