Das Parking Management System Sensitive Data Exposure Vulnerability

A sensitive data exposure vulnerability has been identified in Das Parking Management System version 6.2.0. This vulnerability resides in the file '/Operator/Search' and allows unauthorized access to the system's API. Exploitation of this vulnerability enables attackers to use historical tokens from the demo site to access the API on other websites, potentially leading to the disclosure of account credentials for all users. Notably, this exploitation does not require any login, as the demo site's token can bypass authentication and provide access to the interface.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive information, specifically user account credentials, which can be decrypted and used for direct login.

Reproduction

To reproduce this vulnerability, send a POST request to the '/Operator/Search' endpoint. Include the demo site's historical token in the 'Token' header. The request can be made without authentication, using only the token to access the API and retrieve account credentials.