CVE-2024-45588
📋 TL;DR
This vulnerability allows authenticated attackers to bypass access controls in Symphony XTS Web Trading platform's Preference module APIs. By manipulating HTTP parameters, attackers can access and modify other users' sensitive information. Organizations using version 2.0.0.1_P160 of this trading platform are affected.
💻 Affected Systems
- Symphony XTS Web Trading platform
📦 What is this software?
Xts Mobile Trader by Symphonyfintech
Xts Web Trader by Symphonyfintech
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify trading preferences, account settings, or sensitive financial data of all users, potentially leading to unauthorized trades, financial loss, or data breaches.
Likely Case
Attackers access and modify preferences/settings of other users they shouldn't have access to, potentially altering trading parameters or viewing confidential information.
If Mitigated
Proper access controls prevent unauthorized API calls, limiting users to only their own data with no cross-user access.
🎯 Exploit Status
Exploitation requires authenticated access but involves simple parameter manipulation in HTTP requests to Preference module APIs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0281
Restart Required: Yes
Instructions:
1. Contact Symphony support for patch information. 2. Apply vendor-provided patch. 3. Restart application services. 4. Verify fix prevents unauthorized API access.
🔧 Temporary Workarounds
API Access Restriction
allImplement web application firewall rules or reverse proxy configurations to restrict access to Preference module APIs.
Network Segmentation
allIsolate the trading platform to internal networks only and restrict external access.
🧯 If You Can't Patch
- Implement strict access controls at network perimeter to limit who can access the trading platform
- Monitor API logs for unusual parameter manipulation or unauthorized access patterns
🔍 How to Verify
Check if Vulnerable:
Check application version in admin interface or configuration files for 2.0.0.1_P160. Test authenticated API calls to Preference endpoints with modified user parameters.Check Version:
Check application configuration or admin panel for version informationVerify Fix Applied:
After patching, test that authenticated users can only access their own data through Preference APIs and cannot modify parameters to access other users' data.📡 Detection & Monitoring
Log Indicators:
- Unusual API calls to Preference endpoints with modified user ID parameters
- Multiple failed access attempts to other users' preference data
- API requests with parameter values outside expected ranges
Network Indicators:
- HTTP POST/GET requests to Preference APIs with manipulated parameters
- Unusual traffic patterns to specific API endpoints
SIEM Query:
source="web_logs" AND (uri_path="/api/preference" OR uri_path CONTAINS "preference") AND (param_userId != current_user OR param_ manipulation detected)