Login Sign Up

CVE-2023-33291

7.4 HIGH
Authentication Bypass Denial of Service

📋 TL;DR

This vulnerability in ebankIT 6 allows unauthenticated attackers to generate OTP (One-Time Password) messages to arbitrary email addresses or phone numbers via public endpoints. It affects ebankIT 6 installations with exposed public endpoints, but cannot target registered users' contact information.

💻 Affected Systems

Products:
  • ebankIT Digital Banking Platform
Versions: Version 6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects public endpoints; internal systems or properly secured deployments may not be vulnerable.

📦 What is this software?

Ebankit by Ebankit

View all CVEs affecting Ebankit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could flood unregistered email addresses/phone numbers with OTP messages, causing denial-of-service through spam, potentially leading to service disruption or reputational damage.

🟠

Likely Case

Spam attacks targeting random email/phone numbers, wasting system resources and potentially triggering rate limiting or alert fatigue.

🟢

If Mitigated

Minimal impact if endpoints are properly secured with authentication or request validation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP requests to public endpoints; no authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.ebankit.com/digital-banking-platform

Restart Required: No

Instructions:

Check vendor advisory for updates; implement input validation and authentication on affected endpoints.

🔧 Temporary Workarounds

Restrict Public Endpoint Access

all

Block or restrict access to /public/token/Email/generate and /public/token/SMS/generate endpoints using firewall rules or web application controls.

Implement Rate Limiting

all

Apply rate limiting to OTP generation endpoints to prevent abuse and spam attacks.

🧯 If You Can't Patch

  • Implement network segmentation to isolate ebankIT systems from untrusted networks.
  • Deploy web application firewall (WAF) rules to block malicious requests to OTP endpoints.

🔍 How to Verify

Check if Vulnerable:

Send HTTP POST requests to /public/token/Email/generate and /public/token/SMS/generate with arbitrary email/phone parameters; check if OTP generation succeeds without validation.

Check Version:

Check ebankIT administration interface or documentation for version information.

Verify Fix Applied:

Test endpoints again; requests should fail or require proper authentication/validation.

📡 Detection & Monitoring

Log Indicators:

  • Unusual volume of requests to OTP generation endpoints
  • Requests with non-registered email/phone parameters

Network Indicators:

  • High traffic to /public/token/* endpoints from untrusted sources

SIEM Query:

source_ip NOT IN trusted_networks AND uri_path CONTAINS '/public/token/' AND count > threshold

📊 Metadata

CVE ID: CVE-2023-33291
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-276
Published: May 28, 2023
Last Updated: January 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33291, you might also want to check these:

CVE-2025-40585 9.9

Energy Services solutions using G5DFR contain default credentials, allowing attackers to gain contro...

Same vulnerability type (CWE-276)
CVE-2023-47462 9.8

This vulnerability allows remote attackers to execute arbitrary code on GL.iNet AX1800 routers by ex...

Same vulnerability type (CWE-276)
CVE-2022-41572 9.8

CVE-2022-41572 is a privilege escalation vulnerability in EyesOfNetwork (EON) where nmap can be exec...

Same vulnerability type (CWE-276)