EUVD-2026-24746
GHSA-27hq-xp89-25mq
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
An insecure direct object reference (IDOR) vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from: '/api/suppliers/v1/suppliers//false' to list user information; and '/#/supplier-registration/supplier-registration//2' to update your user information (personal details, documents, etc.).
AnalysisAI
Insecure direct object reference in Fullstep V5 allows authenticated users to enumerate and modify other users' supplier registration data via predictable API endpoints. Authenticated attackers with low privileges can exploit vulnerable GET and POST endpoints to list sensitive user information (/api/suppliers/v1/suppliers/) and update arbitrary user profiles including personal details and documents (/#/supplier-registration/supplier-registration/). …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: inventory all Fullstep V5 deployments and identify the current installed version. Within 7 days: apply the vendor-released patch from INCIBE-CERT advisory to all Fullstep V5 instances; coordinate with vendor to obtain exact patch version number and test in non-production environment first. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today