Syltek Insufficient Verification of Data Authenticity

Publication date:

03/14/2022

Importance:

4 - Alta

Affected resources:

Syltek, version < 10.22.00.

Description:

INCIBE has coordinated the publication of a vulnerability in Syltek application, with the internal code INCIBE-2022-0648, which has been discovered by Enrique Benvenutto Navarro.

CVE-2021-4031 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.

Solution:

This vulnerability has been solved by Playtomic in the 10.22.00 version released on 02/12/2021.

Detail:

Syltek application before its 10.22.00 version, does not correctly check that a product ID has a valid payment associated to it.

This could allow an attacker to forge a request and bypass the payment system by marking items as payed without any verification.

CWE-345: Insufficient Verification of Data Authenticity

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

References:

CVE-2021-4031 - Syltek Insufficient Verification of Data Authenticity

Tags:

Corporate access

Syltek Insufficient Verification of Data Authenticity

Múltiples vulnerabilidades en router Netgear Orbi

Múltiples vulnerabilidades en productos Aspera Faspex de IBM

Múltiples vulnerabilidades en Moodle

Vulnerabilidades 0day en chipsets Exynos de Samsung

Múltiples vulnerabilidades en el core de Drupal