Exposure of Sensitive Information to an Unauthorized Actor in blair2004/nexopos-4x

Valid

Reported on

Sep 30th 2021


Description

Exposure of server side sensitive information due to unhandled exception in handling request method.

Proof of Concept

  1. Go to this link http://v4.nexopos.com/api/nexopos/v4/crud/ns.payments-types/4
  2. See that the page returns with sensitive server side data. Here is a sample
    "message": "The GET method is not supported for this route. Supported methods: PUT, DELETE.",
    "exception": "Symfony\\Component\\HttpKernel\\Exception\\MethodNotAllowedHttpException",
    "file": "/var/www/html/v4.nexopos.com/vendor/laravel/framework/src/Illuminate/Routing/AbstractRouteCollection.php",
    "line": 117,

Impact

This vulnerability is capable of exposure of server side information.

We have contacted a member of the blair2004/nexopos-4x team and are waiting to hear back 2 months ago
Blair Jersyer validated this vulnerability 2 months ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
Blair Jersyer confirmed that a fix has been merged on b8fa0d 2 months ago
Blair Jersyer has been awarded the fix bounty