Primary

Context

E4 Sistemas Mercatus ERP ID Resource Injection Vulnerability

Vulnerability

A resource injection vulnerability has been identified in E4 Sistemas Mercatus ERP version 2.00.019. The issue arises in an unknown function of the file '/basico/webservice/imprimir-danfe/id/', where improper control of resource identifiers allows for unauthorized access to sensitive information. This vulnerability can be exploited remotely without authentication, by manipulating the ID parameter to access invoices belonging to other users.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive data, specifically purchase invoices from other users.

Reproduction

To reproduce this vulnerability, send a request to the '/basico/webservice/imprimir-danfe/id/' endpoint with a specific ID. The response will include the invoice associated with that ID. By changing the ID to another value, it is possible to access invoices belonging to other users.

Added: Aug 29, 2025, 4:17 AM

Updated: Aug 29, 2025, 4:17 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

E4 Sistemas Mercatus ERP ID Resource Injection Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating