Tabit - giftcard stealth

Tabit - giftcard stealth. Several APIs on the web system display, without authorization, sensitive information such as health statements, previous bills in a specific restaurant, alcohol consumption and smoking habits. Each of the described APIs, has in its URL one or more MongoDB ID which is not so simple to enumerate. However, they each receive a 'tiny URL' in tabits domain, in the form of https://tbit.be/{suffix} with suffix being a 5 character long string containing numbers, lower and upper case letters. It is not so simple to enumerate them all, but really easy to find some that work and lead to a personal endpoint. Furthermore, the redirect URL disclosed the MongoDB IDs discussed above, and we could use them to query other endpoints disclosing more personal information.

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

N/A

GTAB Software Tabit 信息泄露漏洞

GTAB Software Tabit是GTAB Software公司的一个用于创建、演奏和打印吉他、贝司或班卓琴指法谱的全功能程序。 GTAB Software Tabit 存在信息泄露漏洞，该漏洞源于其web系统上的几个API在未经授权的情况下显示敏感信息，如健康状况、以前在特定餐馆的账单、饮酒和吸烟习惯。攻击者可以获取到用户个人信息。

N/A

N/A