Toko Online Roti
Monthly
Authorization bypass in RafyMrX TOKO-ONLINE-ROTI allows a low-privileged remote attacker to manipulate the `kd_cs` parameter in `proses/add.php` to access or modify data belonging to other customers, a classic CWE-639 Insecure Direct Object Reference pattern. The application up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 is confirmed affected, with no vendor patch available after the vendor failed to respond to responsible disclosure. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low complexity of parameter manipulation makes this trivially reproducible with standard HTTP tooling.
Missing authentication in RafyMrX TOKO-ONLINE-ROTI, an Indonesian online bakery shop management application, allows remote unauthenticated attackers to access restricted application functionality with low-level impact across confidentiality, integrity, and availability. All code through commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 is affected, and no patch exists because the vendor did not respond to coordinated disclosure. No public exploit code and no CISA KEV listing exist at time of analysis.
SQL injection in RafyMrX TOKO-ONLINE-ROTI (up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99) allows remote unauthenticated attackers to manipulate database queries via the kode_produk and kd_cs parameters in proses/add.php. The CVSS 4.0 vector confirms no privileges or user interaction are required, and a public exploit (E:P) has been released, lowering the skill threshold for opportunistic attacks. The vendor did not respond to coordinated disclosure, leaving no official patch available at time of analysis.
Authorization bypass in RafyMrX TOKO-ONLINE-ROTI allows a low-privileged remote attacker to manipulate the `kd_cs` parameter in `proses/add.php` to access or modify data belonging to other customers, a classic CWE-639 Insecure Direct Object Reference pattern. The application up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 is confirmed affected, with no vendor patch available after the vendor failed to respond to responsible disclosure. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low complexity of parameter manipulation makes this trivially reproducible with standard HTTP tooling.
Missing authentication in RafyMrX TOKO-ONLINE-ROTI, an Indonesian online bakery shop management application, allows remote unauthenticated attackers to access restricted application functionality with low-level impact across confidentiality, integrity, and availability. All code through commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 is affected, and no patch exists because the vendor did not respond to coordinated disclosure. No public exploit code and no CISA KEV listing exist at time of analysis.
SQL injection in RafyMrX TOKO-ONLINE-ROTI (up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99) allows remote unauthenticated attackers to manipulate database queries via the kode_produk and kd_cs parameters in proses/add.php. The CVSS 4.0 vector confirms no privileges or user interaction are required, and a public exploit (E:P) has been released, lowering the skill threshold for opportunistic attacks. The vendor did not respond to coordinated disclosure, leaving no official patch available at time of analysis.