CVE-2024-40395

1. CVE-2024-40395
2.  
3. Description:
4. An Authenticated Insecure Direct Object Reference (IDOR) in PTC ThingWorx v9.5.0
5. allows attackers to view sensitive information, including PII, regardless of access level.
6.  
7. This allows any user to get data of vehicles, drivers, users and other information of all organizations of the vulnerable system using PTC ThingWorx v9.5.0 instead of the normally allowed view of his own organization.
8.  
9. The IDOR is possible by altering the Organization name parameter in the HTTP requests, which will make the corresponding data to show in the HTTP response.
10.  
11. ------------------------------------------
12.  
13. Vulnerability Type:
14. Authenticated Insecure Direct Object Reference (IDOR)
15.  
16. ------------------------------------------
17.  
18. Vendor of Product and Version:
19. PTC ThingWorx - Thingworx Platform version 9.5.0
20.  
21. ------------------------------------------
22.  
23. Affected Endpoints:
24. - POST /Thingworx/Things/PostgreSQLNew/Services/VehicleProfile_NewV5?
25. - POST /Thingworx/Things/PostgreSQL/Services/Driver_Pages_New_V3?
26. - POST /Thingworx/Things/UsersThing/Services/GetUsersByOrganizationMultiQ?
27.  
28. ------------------------------------------
29.  
30. Impact: Information Disclosure
31.  
32. ------------------------------------------
33.  
34. Attack Vectors:
35. Compromised Credentials.
36.  
37. ------------------------------------------
38.  
39. Discoverer:
40. Abdulazeiz Rashed Aldhanhani