CVE-2022-34775

Tabit - Excessive data exposure. Another endpoint mapped by the tiny url, was one for reservation cancellation, containing the MongoDB ID of the reservation, and organization. This can be used to query the http://tgm-api.tabit.cloud/rsv/management/{reservationId}?organization={orgId} API which returns a lot of data regarding the reservation (OWASP: API3): Name, mail, phone number, the number of visits of the user to this specific restaurant, the money he spent there, the money he spent on alcohol, whether he left a deposit etc. This information can easily be used for a phishing attack.
References
Link Resource
https://www.gov.il/en/departments/faq/cve_advisories Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:tabit:tabit:*:*:*:*:*:*:*:*

History

08 Aug 2023, 14:21

Type Values Removed Values Added
CWE CWE-668 CWE-639

Information

Published : 2022-08-22 15:15

Updated : 2024-02-28 19:29


NVD link : CVE-2022-34775

Mitre link : CVE-2022-34775

CVE.ORG link : CVE-2022-34775


JSON object : View

Products Affected

tabit

  • tabit
CWE
CWE-639

Authorization Bypass Through User-Controlled Key