CVE-2025-55886 PoC — ARD GEC en Ligne 安全漏洞

Source

https://github.com/0xZeroSec/CVE-2025-55886

Associated Vulnerability

Title:ARD GEC en Ligne 安全漏洞 (CVE-2025-55886)
Description:ARD GEC en Ligne是法国ARD公司的一个线上服务门户网站。 ARD GEC en Ligne存在安全漏洞，该漏洞源于payment history API端点中fe_uid参数存在不安全的直接对象引用，可能导致未经授权访问其他用户的支付历史。

Readme

# CVE-2025-55886
### Description
An Insecure Direct Object Reference (IDOR) vulnerability was discovered
in ARD. The flaw exists in the `fe_uid` parameter of the payment
history API endpoint. An authenticated attacker can manipulate this
parameter to access the payment history of other users without
authorization.

### Affected Component
```
https://services.ard.fr/?eID=tx_afereload_records&_dc=1743696277812&fe_uid={USERID]&startTimestamp=1741017877&endTimestamp=1743782677&mobile=1&page=1&start=0&limit=100
```

### Affected Product Code Base
ARD GEC en Ligne - Not versioned - **Patched on 2025-04-23**

### Reseachers
- [raphckrman](https://github.com/raphckrman)
- [tryon-dev](https://github.com/tryon-dev)

File Snapshot


 [4.0K]  /data/pocs/775fe5ae876681f5ce89d37c388e11cbc338525d
└── [ 714]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!