Fullstep
Monthly
Insecure direct object reference in Fullstep V5 allows authenticated users to enumerate and modify other users' supplier registration data via predictable API endpoints. Authenticated attackers with low privileges can exploit vulnerable GET and POST endpoints to list sensitive user information (/api/suppliers/v1/suppliers/) and update arbitrary user profiles including personal details and documents (/#/supplier-registration/supplier-registration/). CVSS 7.6 reflects high confidentiality and integrity impact with low attack complexity. No public exploit code identified at time of analysis, but the IDOR pattern is trivial to exploit once authenticated. INCIBE-CERT advisory confirms patch availability from vendor.
Authentication bypass in Fullstep V5 registration process enables unauthenticated remote attackers to obtain valid JWT tokens for accessing protected API resources without credentials. CVSS v4.0 score of 8.7 reflects the severity of network-accessible authentication bypass with high confidentiality impact. Vendor patch is available through INCIBE coordination. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis, though the vulnerability's low complexity (AC:L) and lack of required authentication (PR:N) make it readily exploitable once discovered.
Insecure direct object reference in Fullstep V5 allows authenticated users to enumerate and modify other users' supplier registration data via predictable API endpoints. Authenticated attackers with low privileges can exploit vulnerable GET and POST endpoints to list sensitive user information (/api/suppliers/v1/suppliers/) and update arbitrary user profiles including personal details and documents (/#/supplier-registration/supplier-registration/). CVSS 7.6 reflects high confidentiality and integrity impact with low attack complexity. No public exploit code identified at time of analysis, but the IDOR pattern is trivial to exploit once authenticated. INCIBE-CERT advisory confirms patch availability from vendor.
Authentication bypass in Fullstep V5 registration process enables unauthenticated remote attackers to obtain valid JWT tokens for accessing protected API resources without credentials. CVSS v4.0 score of 8.7 reflects the severity of network-accessible authentication bypass with high confidentiality impact. Vendor patch is available through INCIBE coordination. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis, though the vulnerability's low complexity (AC:L) and lack of required authentication (PR:N) make it readily exploitable once discovered.