Roncoo Roncoo-Pay Improper Authorization Vulnerability in User Lookup Function
Vulnerability
A vulnerability allowing improper authorization has been identified in Roncoo Roncoo-Pay versions up to 9428382af21cd5568319eae7429b7e1d0332ff40. The issue arises in an unknown function within the file '/user/info/lookupList', where the application fails to properly validate authorization before allowing access to user lookup functionality. This vulnerability can be exploited remotely, without any authentication requirements, potentially leading to unauthorized access to user information.
Impact
Exploitation of this vulnerability allows unauthorized access to the user lookup list, enabling enumeration of users in the system. This could result in information disclosure and facilitate further attacks.
Reproduction
To reproduce this vulnerability, send a GET request to '/user/info/lookupList' without authentication or authorization. This will bypass authorization checks and grant access to the user lookup functionality.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.