La nuova immagine di TIM
Una nuova immagine con uno stile dinamico, colori moderni e persone che occupano quasi interamente la scena. Scopri di più
Presentazione dei Risultati H1 2025
Vai alla pagina
La Sostenibilità per TIM
Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci
Ultimi Comunicati Stampa
Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati
Vulnerability Description: Improper Access Control – CWE-284
Software Version: 1.6.4
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-31846
CVSv3:
Severity:
Credits: Luca Carbone, Fabio Romano, Federico Draghelli, Massimiliano Brolli
The web application does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Step-by-step instructions and PoC
Any user without authentication can view data about the client registered to the application. This vulnerability can be exploited in order to gather personal information like phone numbers and emails and can be exploited without authentication.
Below are the evidences with the vulnerability details and the payloads used.
URL: https://[HOST]/[NODE-NAME]/supervoip/api/v1/register/[PHONE-NUMBER]/[ANY-STRING]/[ANY-STRING]/it?columns%5B13%5D%5Bsearch%5D%5Bvalue%5D=&columns%5B13%5D%5Bsearch%5D%5Bregex%5D=false&order%5B0%5D%5Bcolumn%5D=0&order%5B0%5D%5Bdir%5D=asc&start=0&length=10&search%5Bvalue%5D=&search%5Bregex%5D=false
Figure 5.1 - Payload
Figure 5.2 - Improper Access Control
Security Impact
By exploiting this vulnerability on the web application, it was possible to have unauthorized access to personal information about registered clients.
Remediation Steps
Ensure proper authorization level controls of a user requesting access to particular endpoints.