An attacker can send a request to this endpoint, then use social engineering techniques to trick the target into clicking a malicious link, receiving a request to update user details with that link.
Boodskap IoT Platform v4.4.9-02 allows remote attackers to view sensitive information about the target via the id parameter in a GET request to the /api/user/user_id>/info endpoint.
Boodskap IoT Platform v4.4.9-02 allows remote attackers to obtain sensitive information about the target via the id parameter in a GET request to the /api/user/user_id>/info endpoint.
Boodskap IoT Platform v4.4.9-02 allows remote attackers to view private information about the target via the id parameter in a GET request to the /api/user/user_id>/info endpoint.
Boodskap IoT Platform v4.4.9-02 allows remote attackers to obtain private information about the target via the id parameter in a GET request to the /api/user/user_id>/info endpoint.
Boodskap IoT Platform v4.4.9-02 allows remote attackers to view private information about the target via the id parameter in a GET request to the /api/user/user_id>/info endpoint.
Boodskap IoT Platform v4.4.9
Vulnerable Spots
The endpoint that allows remote attackers to view sensitive information about the target is vulnerable to XSS.
The endpoint that allows remote attackers to obtain sensitive information about the target is vulnerable to XSS.
Boodskap IoT Platform v4.4.9: What is it?
Boodskap IoT Platform v4.4.9 is a software package that allows users to create and manage their IoT devices. This software is free for devices that are 5-10 units, but the cost of the software increases the more units the user wants to manage.
Boodskap IoT Platform has a number of coding and design flaws, which allow attackers with low privileges to view sensitive information about the target without authentication and without authorization.
Boodskap IoT Platform v4.4.8
-02 allows remote attackers to obtain sensitive information about the target via the id parameter in a GET request to the /api/user/user_id>/info endpoint.
Boodskap IoT Platform v4.4.9 Weakness Notes
There are multiple vulnerabilities in this version of the Boodskap IoT Platform.
- attackers can use social engineering to trick targets into clicking a malicious link that requests user details, causing a denial-of-service condition.
- attackers can obtain private information about the target via the id parameter in a GET request to the /api/user/user_id>/info endpoint.
- attackers can view private information about the target via the id parameter in a GET request to the /api/user/user_id>/info endpoint.
Timeline
Published on: 10/13/2022 23:15:00 UTC
Last modified on: 10/14/2022 14:09:00 UTC