Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Service Center developed by BankPro E-Service Technology has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify the parameter of a specific query function to access other users' EC order details.
AnalysisAI
Authorization bypass in BankPro E-Service Technology's Service Center application allows authenticated remote attackers to read other users' electronic commerce order details by tampering with an object identifier parameter in a query function. The CVSS 4.0 vector (AV:N/PR:L/VC:H) reflects a high-confidentiality impact over the network with low privileges and no user interaction, and there is no public exploit identified at time of analysis. The flaw is an Insecure Direct Object Reference (IDOR) reported by TWCERT, affecting financial/EC order data that is typically subject to privacy and PCI-DSS scrutiny.
Technical ContextAI
Service Center is a banking/e-service platform produced by BankPro E-Service Technology (CPE: cpe:2.3:a:bankpro_e-service_technology:service_center:*). The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), a classic Insecure Direct Object Reference where the application accepts a client-supplied identifier (e.g., an order ID, customer ID, or sequence number) in a query function and returns the corresponding record without verifying that the requesting session owns or is entitled to that record. Although tagged 'Authentication Bypass', the description indicates an authorization rather than authentication failure - the attacker must first be a legitimate authenticated user, then horizontally pivots to other users' EC (electronic commerce) order details by changing a numeric or otherwise predictable parameter.
RemediationAI
No vendor-released patch version is identified in the provided data; operators should contact BankPro E-Service Technology directly and consult the TWCERT advisories (https://www.twcert.org.tw/en/cp-139-10940-d90bd-2.html and https://www.twcert.org.tw/tw/cp-132-10938-97ddd-1.html) for the official fix and any vendor-supplied hotfix bulletin. The primary remediation is a code-level fix that enforces server-side authorization on the affected query function so that the session's user identity - not the client-supplied parameter - determines which order records can be returned; this typically means joining queries on the authenticated user ID or checking ownership in a middleware layer. Until the vendor patch is applied, compensating controls include placing the EC order query endpoint behind a WAF rule that flags rapid sequential or out-of-range identifier enumeration (trade-off: legitimate batch lookups may be blocked), enabling verbose access logging on the order endpoint and alerting on a single account fetching disparate user IDs (trade-off: log volume and analyst burden), and tightening session controls (short timeouts, MFA for sensitive views) to raise the cost of obtaining the low-privileged account needed to exploit the issue.
More in Service Center
View allUnspecified vulnerability in HP Service Manager 7.11, 9.21, 9.30, and 9.31 and Service Center 6.2.8 allows remote attack
Unspecified vulnerability in HP Service Manager 7.11, 9.21, 9.30, 9.31, and 9.32, and ServiceCenter 6.2.8, allows remote
Unspecified vulnerability in HP ServiceCenter 6.2.8 before 6.2.8.10 allows remote attackers to obtain sensitive informat
HP Service Manager 7.11, 9.21, 9.30, and 9.31, and ServiceCenter 6.2.8, allows remote attackers to obtain sensitive info
Cross-site scripting (XSS) vulnerability in HP Service Manager 7.11, 9.21, 9.30, and 9.31, and ServiceCenter 6.2.8, allo
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33253
GHSA-hc6j-f6m9-878g