CVE-2018-25129

Name of the Vulnerable Software and Affected Versions SOCA Access Control System version 180612

Description The SOCA Access Control System has multiple insecure direct object reference issues. These allow attackers to access sensitive user credentials, including retrieving authenticated and unauthenticated user password hashes and pins. Access is gained through unprotected endpoints such as /Get Permissions From DB.php and /Ac10 ReadSortCard. The vulnerable parameters or variables are not specified.

Recommendations Apply necessary access controls to the /Get Permissions From DB.php endpoint. Apply necessary access controls to the /Ac10 ReadSortCard endpoint.