Business Logic Vulnerability in HCL Aftermarket EPC Software
CVE-2024-23564
9.1CRITICAL
What is CVE-2024-23564?
HCL Aftermarket EPC is vulnerable to a business logic issue that allows an unauthorized user to exploit the application by extracting passwords from the server. By manipulating server responses, an attacker can redirect the retrieved passwords to their own email address. Although initial user validation checks are performed for UserId, similar controls are lacking for email-based password retrieval requests, leading to this security flaw.
Affected Version(s)
Aftermarket EPC version 1.0.0
