Videos
Published on January 28th, 2019 📆 | 2439 Views ⚑
0CUJO's APIs Vulnerabilities
iSpeech
Write-up at http://www.cujo.fail
Summary:
1) Remote Arbitrary Users' Schedules, ProfileIDs and AgentIDs Enumeration.
2) Remote Arbitrary Users' Schedules Creation.
3) Remote Arbitrary Users' Schedules Deletion.
A malicious user could enumerate all existing users, and for each of them, create a new 24/7 schedule that will be automatically enabled and will automatically pause internet. Which will end up into a DoS attack.
Nonetheless, a malicious user could also delete all existing schedules for all CUJO's customers.
2019-01-28 21:37:50
source
Gloss