CVE-2020-35577: IDOR in Endalia Selection Portal
Vendor: Endalia
Vendor URL: https://www.endalia.com/software/seleccion/
Versions affected: Endalia Selection Portal < 4.205.0
Discovered by: Antón Ortigueira (@antuache)
Public fix: Yes
Proof of Concept: No
Summary
Endalia Selection Portal (< 4.205.0) is prone to an authenticated Insecure Direct Object Reference (IDOR).
Details
An IDOR vulnerability allows any authenticated user to download private files uploaded by other users, by changing the value of the file identifier in a CommonDownload request.
Impact
Sensitive user data such as bank details or identification documents are stored on this platform. An attacker could download them by registering a user account.
Recommendation
Update to a fixed version (=> 4.205.0).
Timeline
- 12/11/2020 - Vendor contact
- 24/11/2020 - Release of fixed version
- 18/02/2021 - Public disclosure