Description
An Insecure Direct Object Reference (IDOR) vulnerability in the Change Password feature of Subex ROC Partner Settlement 10.5 allows remote authenticated users to achieve account takeover via manipulation of POST parameters. NOTE: This vulnerability may only affect a testing version of the application
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://www.subex.com/partner-settlement/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/157197/Subex-ROC-Partner-Settlement-10.5-Insecure-Direct-Object-Reference.html
Scores
CVSS v3
8.8
EPSS
0.0059
EPSS Percentile
69.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-639
Status
published
Products (1)
subex/roc_partner_settlement
10.5
Published
Apr 14, 2020
Tracked Since
Feb 18, 2026