CVE-2023-30455

Name of the Vulnerable Software and Affected Versions ebankIT versions prior to 7

Description An issue allows a Denial-of-Service attack through the EStatementsIds GET parameter located on the "/Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashx" endpoint. This parameter accepts over 100 comma-separated e-statement IDs without throwing an error, causing the server to take around 60 seconds to respond and generate a ZIP archive. During this time, no other pages load. A threat actor could exploit this by issuing requests with 100+ statement IDs every 30 seconds, potentially overloading the server for all users.

Recommendations For versions prior to 7, consider disabling the EStatementsIds parameter in the "/Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashx" endpoint as a temporary workaround until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using the EStatementsIds parameter with a large number of comma-separated IDs until the issue is resolved.