[+] Credits: Shahnawaz Shaikh, Security Researcher at Cybergate Defense LLC
[+] twitter.com/_striv3r_
[Vendor]
Autolib-india
http://autolib-india.net/products.php
[Product]
AutoLib Software Systems OPAC Version.20.10
[Affected Component]
main.js file
[CVE Reference]
CVE-2024-48310
[Security Issue]
AutoLib Software Systems OPAC v20.10 was discovered to have multiple API
keys exposed within the source code. Attackers may use these keys to access
the backend API or other sensitive information.
[Attack Vectors]
After obtaining the API key, an attacker can use tools such as curl,
Postman, or custom scripts to craft unauthorized requests to the target API.
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: September 10, 2024
Vendor released fixed: September 25, 2024