Account Access and Data Manipulation via Persistent HTTP GET Request Hash Link Replay

Account Access and Data Manipulation via Persistent HTTP GET Request Hash Link Replay

CVE-2019-11488 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:P/A:P

Incorrect Access Control in the Account Access / Password Reset Link in SimplyBook.me Enterprise before 2019-04-23 allows Unauthorized Attackers to READ/WRITE Customer or Administrator data via a persistent HTTP GET Request Hash Link Replay, as demonstrated by a login-link from the browser history.

Learn more about our Web Application Penetration Testing UK.