Biloop
Monthly
Cross-tenant authorization bypass in Adiss Biloop allows an authenticated user to manipulate the company ID parameter in a backend POST request and access or modify data belonging to other companies (tenants) hosted in the same subdomain environment. The flaw exposes sensitive customer information including billing data and permits unauthorized modification of third-party records. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 9.3 (Critical) and low privilege requirement make this a high-priority issue for multi-tenant Biloop deployments.
Cross-tenant authorization bypass in Adiss Biloop allows an authenticated user to manipulate the company ID parameter in a backend POST request and access or modify data belonging to other companies (tenants) hosted in the same subdomain environment. The flaw exposes sensitive customer information including billing data and permits unauthorized modification of third-party records. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 9.3 (Critical) and low privilege requirement make this a high-priority issue for multi-tenant Biloop deployments.