Mohit Gadiya

Name of the Vulnerable Software and Affected Versions: CAP back office application (affected versions not specified) Description: The issue arises from the improper implementation of the OTP verification mechanism in the API-based login of the CAP back office application. A remote attacker with valid credentials could exploit this by manipulating the API request URL or payload, potentially allowing them to bypass Two-Factor Authentication (2FA) for other user accounts. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: CAP back office application (affected versions not specified) Description: The issue is caused by a weak password-reset mechanism implemented at API endpoints in the CAP back office application. This allows an authenticated remote attacker with a valid login ID to potentially exploit the vulnerability, leading to account takeover of targeted users. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: CAP back office application (affected versions not specified) Description: The issue is caused by missing rate limiting on OTP requests in an API endpoint, allowing an authenticated remote attacker to send multiple OTP requests, potentially leading to OTP bombing or flooding on the targeted system. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: CAP back office application (affected versions not specified) Description: The issue is related to an improper authentication check at the "API endpoint". This could allow an unauthenticated remote attacker with a valid login ID to exploit the issue by manipulating `API input parameters` through the `API request URL/payload`, leading to unauthorized access to other user accounts. Recommendations: At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: CAP back office application (affected versions not specified) Description: The issue is caused by improper authorization checks on certain API endpoints, allowing an authenticated remote attacker to manipulate API request URLs and gain unauthorized access to other user accounts. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: RupeeWeb trading platform (affected versions not specified) Description: This issue exists due to insufficient authorization controls on certain API endpoints handling addition and deletion operations. Successful exploitation could allow an authenticated remote attacker to modify information belonging to other user accounts. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: RupeeWeb trading platform (affected versions not specified) Description: This issue exists due to improper implementation of the OTP validation mechanism in certain API endpoints. A remote attacker with valid credentials could exploit this by manipulating API responses, potentially allowing them to bypass Two-Factor Authentication (2FA) for other user accounts. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: RupeeWeb trading platform (affected versions not specified) Description: The issue is caused by missing rate limiting on OTP requests in certain API endpoints. An authenticated remote attacker could exploit this by sending multiple OTP requests through vulnerable API endpoints, leading to OTP bombing or flooding on the targeted system. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wave 2.0 **Description** This issue exists due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this by sending multiple OTP requests through the vulnerable API endpoint, leading to OTP bombing or flooding on the targeted system. The vulnerability is related to improper control of interaction frequency. **Recommendations** For Wave 2.0, patch to the latest version as soon as possible and monitor for suspicious activity. As a temporary workaround, consider restricting access to the vulnerable API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Aero (affected versions not specified) **Description** This issue exists due to improper implementation of the OTP validation mechanism in certain API endpoints. An authenticated remote attacker could exploit this by intercepting and manipulating responses during the second factor authentication process. Successful exploitation could allow the attacker to bypass OTP verification for accessing other user accounts. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wave version 2.0 **Description** This issue is caused by improper or missing authorization checks on certain API endpoints. An authenticated remote attacker could exploit this by manipulating API input parameters to gain unauthorized access and perform malicious activities on other user accounts. **Recommendations** For Wave version 2.0, consider restricting access to vulnerable API endpoints until a patch is available. As a temporary workaround, limit the manipulation of API input parameters to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Wave 2.0 **Description** This issue is due to missing restrictions for excessive failed authentication attempts on the API-based login. A remote attacker could exploit this by conducting a brute force attack against legitimate user OTP, MPIN, or password, potentially gaining unauthorized access and compromising other user accounts. **Recommendations** For Wave 2.0, consider implementing restrictions on failed login attempts through the API to prevent brute force attacks. As a temporary workaround, restrict access to the API-based login until a more permanent solution is available.

**Name of the Vulnerable Software and Affected Versions** Wave version 2.0 **Description** The issue arises from insufficient encryption of sensitive data received at the API response, allowing an authenticated remote attacker to exploit it by manipulating API input parameters. This could lead to unauthorized access to sensitive information belonging to other users. **Recommendations** For Wave version 2.0, consider disabling access to sensitive API endpoints until a patch is available, and restrict manipulation of API input parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Shilpi Client Dashboard (affected versions not specified) **Description** The issue exists due to improper validation of files being uploaded other than the specified extension. An authenticated remote attacker could exploit this by uploading a malicious file, which could lead to remote code execution on the targeted application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Shilpi Client Dashboard (affected versions not specified) **Description** This issue exists due to improper handling of multiple parameters in the API endpoint. An authenticated remote attacker could exploit this by including multiple `userid` parameters in the API request body, leading to unauthorized access of sensitive information belonging to other users. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Shilpi Client Dashboard (affected versions not specified) **Description** The issue is related to an inadequate authentication mechanism in the login module of the Shilpi Client Dashboard. This allows access to any user's account with just their corresponding mobile number. A remote attacker could exploit this by providing the mobile number of the targeted user to obtain complete access to the targeted user's account. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Shilpi Client Dashboard (affected versions not specified) **Description** This issue exists due to a lack of authorization for modification and cancellation requests through certain API endpoints. An authenticated remote attacker could exploit this by placing or cancelling requests through the API request body, leading to unauthorized modification of requests belonging to other users. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Shilpi Client Dashboard versions prior to 9.7.0 **Description** This issue exists due to a lack of rate limiting and Captcha protection for OTP requests in certain API endpoints. An unauthenticated remote attacker could exploit this by sending multiple OTP requests through vulnerable API endpoints, leading to OTP bombing on the targeted system. The attacker could flood requests, degrading performance. **Recommendations** For versions prior to 9.7.0, update to version 9.7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints to minimize the risk of exploitation. Avoid using the OTP request feature in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Shilpi Client Dashboard (affected versions not specified) **Description** This issue is due to missing restrictions for incorrect login attempts on the API-based login of the Shilpi Client Dashboard. A remote attacker could exploit this by conducting a brute force attack on passwords, potentially gaining unauthorized access to other user accounts. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Shilpi Net Back Office (affected versions not specified) **Description** This issue exists due to improper access controls on certain API endpoints. An authenticated remote attacker could exploit this by manipulating the `dfclientid` parameter through API request URLs, leading to unauthorized access to sensitive information belonging to other users. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.