CVE-2023-33291
HIGHebankIT 6 - Unauthenticated Arbitrary OTP Generation via Public Token Endpoints
Title source: llmDescription
In ebankIT 6, the public endpoints /public/token/Email/generate and /public/token/SMS/generate allow generation of OTP messages to any e-mail address or phone number without validation. (It cannot be exploited with e-mail addresses or phone numbers that are registered in the application.)
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/172476/eBankIT-6-Arbitrary-OTP-Generation.html
Scores
CVSS v3
7.4
EPSS
0.0089
EPSS Percentile
54.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-276
Status
published
Products (1)
ebankit/ebankit
6
Published
May 28, 2023
Tracked Since
Feb 18, 2026