Skip to main content

CVE-2023-36235: n/a in n/a

Medium
VulnerabilityCVE-2023-36235cvecve-2023-36235
Published: Wed Jan 17 2024 (01/17/2024, 00:00:00 UTC)
Source: CVE Database V5
Vendor/Project: n/a
Product: n/a

Description

An issue in webkul qloapps before v1.6.0 allows an attacker to obtain sensitive information via the id_order parameter.

AI-Powered Analysis

AILast updated: 07/11/2025, 22:46:37 UTC

Technical Analysis

CVE-2023-36235 is a medium-severity vulnerability affecting versions of the QloApps platform prior to v1.6.0. QloApps is an open-source hotel booking and reservation system widely used by small to medium hospitality businesses. The vulnerability arises from improper access control related to the 'id_order' parameter, which allows an attacker with at least some level of authenticated access (PR:L) to retrieve sensitive information without requiring user interaction (UI:N). Specifically, the vulnerability is categorized under CWE-639, which involves the exposure of sensitive information due to improper authorization checks. The CVSS 3.1 base score of 6.5 reflects a network attack vector (AV:N) with low attack complexity (AC:L), no user interaction, and a scope that remains unchanged (S:U). The impact is high on confidentiality (C:H) but does not affect integrity or availability. This means an attacker can potentially access sensitive order-related data by manipulating the 'id_order' parameter, possibly leading to leakage of customer information, booking details, or payment data. No known exploits are currently in the wild, and no official patches or vendor advisories are linked, but the issue is publicly disclosed and should be addressed promptly to prevent exploitation.

Potential Impact

For European organizations, particularly those in the hospitality sector using QloApps for booking management, this vulnerability poses a significant risk to customer data confidentiality. Exposure of sensitive booking or payment information could lead to privacy violations under GDPR, resulting in regulatory penalties and reputational damage. The hospitality industry in Europe is a prime target for data breaches due to the volume of personal and payment data processed. Attackers exploiting this vulnerability could gain unauthorized access to customer orders, potentially facilitating identity theft, fraud, or targeted phishing attacks. The lack of impact on integrity and availability means operational disruption is unlikely, but the confidentiality breach alone is critical given the strict data protection regulations in Europe.

Mitigation Recommendations

European organizations using QloApps should immediately upgrade to version 1.6.0 or later where this vulnerability is fixed. If upgrading is not immediately feasible, implement strict access controls on the 'id_order' parameter to ensure that users can only access their own order information. This can be done by validating the ownership of the order against the authenticated user session on the server side. Additionally, conduct thorough code reviews and penetration testing focused on authorization checks around order retrieval functions. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious parameter tampering attempts. Regularly monitor logs for unusual access patterns to order data. Finally, ensure that all sensitive data is encrypted both in transit and at rest to minimize the impact of any potential data leakage.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2023-06-21T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68487f531b0bd07c39389e76

Added to database: 6/10/2025, 6:54:11 PM

Last enriched: 7/11/2025, 10:46:37 PM

Last updated: 7/31/2025, 5:50:45 PM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats