Vulnerability Summary
An unauthenticated AEM Sling servlet exposes four CRUD operations (getData / getDataById / setData / updateData) on the internal marketing-campaign database via a single option request header. The only access control is a Referer string check that any HTTP client trivially bypasses. Anonymous attackers can read the full 79-campaign dataset (including internal segmentation logic and the names of internal prospect databases), create arbitrary new campaigns in the production backoffice, and overwrite existing real production campaigns.
A vulnerability was identified where an unauthenticated, internet-facing servlet exposed full CRUD access to the bank's internal marketing-campaign database. The endpoint accepted POST requests with no session, no CSRF token and no authentication — its only "protection" was a check on the Referer header that any HTTP client can set in one line. Four operations were reachable through a single option request header, allowing any anonymous attacker to read the entire campaign dataset, create new campaigns in the production backoffice and overwrite existing production campaigns.
The endpoint POST /services/formcampaign is an AEM Sling servlet that proxies four different operations against an internal Spring Boot backend (com.target.backend.campaigns):
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3676308 by glferreira-devsecops
gpk21
pyus3rA vulnerability was identified where an authenticated user could disable Multi-Factor Authentication (MFA) on their own account by modifying hidden account attributes through a backend API endpoint. This allowed subsequent logins without an MFA prompt, effectively bypassing the security control and increasing the risk of unauthorized access in the event of credential compromise.
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In