CVE-2023-33291

Name of the Vulnerable Software and Affected Versions ebankIT version 6

Description The issue concerns the public endpoints "/public/token/Email/generate" and "/public/token/SMS/generate" which allow generation of OTP messages to any e-mail address or phone number without validation. However, it cannot be exploited with e-mail addresses or phone numbers that are registered in the application.

Recommendations For ebankIT version 6, consider restricting access to the "/public/token/Email/generate" and "/public/token/SMS/generate" endpoints to minimize the risk of exploitation. As a temporary workaround, implement validation for e-mail addresses and phone numbers to prevent unauthorized generation of OTP messages. At the moment, there is no information about a newer version that contains a fix for this vulnerability.