CVE-2022-34776

Name of the Vulnerable Software and Affected Versions Tabit (affected versions not specified)

Description The issue concerns several APIs on the web system that display sensitive information without authorization, including health statements, previous bills in a specific restaurant, alcohol consumption, and smoking habits. These APIs contain MongoDB IDs in their URLs, which can be difficult to enumerate. However, they can be accessed through "tiny URLs" in the form of https://tbit.be/{suffix}, where the suffix is a 5-character string containing numbers, lower and upper case letters. Although enumerating all possible suffixes may be challenging, it is relatively easy to find some that work and lead to personal endpoints. The redirect URL discloses the MongoDB IDs, which can then be used to query other endpoints and disclose more personal information.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.