Aleksey Shupletsov

Name of the Vulnerable Software and Affected Versions: OpenWay WAY4 ACS versions prior to 1.2.278-2693 Description: The issue allows for XSS via the "/way4acs/enroll" action parameter. This means an attacker could potentially inject malicious scripts into the application, affecting users who interact with the vulnerable endpoint. Recommendations: For versions prior to 1.2.278-2693, update to version 1.2.278-2693 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/way4acs/enroll" endpoint until the update is applied.

Name of the Vulnerable Software and Affected Versions: OpenWay WAY4 ACS versions prior to 1.2.278-2693 Description: The issue allows unauthenticated attackers to discover whether a specific payment card number is stored in the system by leveraging response differences. The "/way4acs/enroll" endpoint is affected. Recommendations: For versions prior to 1.2.278-2693, update to version 1.2.278-2693 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/way4acs/enroll" endpoint to minimize the risk of exploitation.