CVE ID: Pending - CVE-2017-14943 Credit: Brett DeWall aka @xbadbiddyx Source: https://raw.githubusercontent.com/badbiddy/Vulnerability-Disclosure/master/TransitMaster%203E%20Information%20Disclosure%20-%20CVE-2017-14943 Vendor: Trapeze Group - Website: http://www.trapezegroup.com/ Product: TransitMaster Vulnerability Type: Sensitive Hashed Credential Disclosure Vulnerability Details: - When logging into the subscriber account, the "TransitMaster" application makes a HTTP POST request with the subscriber's unique ID to the backend database and retrieves account information (email/encrypted password). - Manipulating the subscriber ID can lead to unauthenticated retrieval of other subscribers' account details. Remediation Details: - Require authentication to access account details. - Logged-in users should not be able to view details of other users. Timeline - 2017-09-16 - Issue Reported to Vendor