Tabit - sensitive information disclosure. Several APIs on the web system display, without authorization, sensitive information such as health statements, previous bills in a specific restaurant, alcohol consumption and smoking habits. Each of the described API’s, has in its URL one or more MongoDB ID which is not so simple to enumerate. However, they each receive a ‘tiny URL’ in Tabit’s domain, in the form of{suffix} with suffix being a 5 characters long string containing numbers, lower- and upper-case letters. It is not so simple to enumerate them all, but really easy to find some that work and lead to a personal endpoint. This is both an example of OWASP: API4 - rate limiting and OWASP: API1 - Broken object level authorization. Furthermore, the redirect URL disclosed the MongoDB IDs discussed above, and we could use them to query other endpoints disclosing more personal information. For example: The URL{org_id}&healthStatementId={health_statement_id} is used to invite friends to fill a health statement before attending the restaurant. We can use the health_statement_id to access the{health_statement_id} API which disclose medical information as well as id number.
Published 2022-08-22 15:15:16
Updated 2023-03-28 18:11:23
View at NVD,

Exploit prediction scoring system (EPSS) score for CVE-2022-34770

Probability of exploitation activity in the next 30 days EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-34770

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
Israel National Cyber Directorate

CWE ids for CVE-2022-34770

  • The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
    Assigned by: (Primary)

References for CVE-2022-34770

Products affected by CVE-2022-34770

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to terms of use!