Executive Summary

CVE-2026-5031 is an Insecure Direct Object Reference (IDOR) vulnerability found in the BichitroGan ISP Billing Software version 2025.3.20. It affects the User Management Module at the endpoint where the 'id' parameter in the URL is user-controlled and lacks proper authorization validation.

This means that low-privileged authenticated users, such as those with Sales or Agent roles, can manipulate the 'id' parameter to access other users' account information, including administrative accounts, without permission.

The root cause is the application's failure to verify whether the requesting user has permission to access the user profile data identified by the 'id' parameter, leading to unauthorized exposure of sensitive user and operational data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers with low privileges to enumerate and access other users' account information, including sensitive administrative data.

The impact includes unauthorized exposure of sensitive ISP user data, enabling attackers to perform privilege escalation reconnaissance and potentially target administrator accounts.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access user profile data via the endpoint with manipulated ID parameters in the URL. Specifically, after logging in as a low-privileged user, you can try to modify the `id` parameter in the URL `https://demo.bichitrogan.com/?_route=settings/users-view/{id}` to see if you can access other users' information without proper authorization.

A practical detection method involves using HTTP request tools such as curl or browser developer tools to send requests with different `id` values and observe if unauthorized data is returned.

• Example curl command to test access control bypass:
• curl -i -b cookies.txt "https://demo.bichitrogan.com/?_route=settings/users-view/2"
• Replace `2` with different user IDs to check if data from other users is accessible.

If the server returns user data for IDs other than the logged-in user's ID without proper authorization errors, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing strict server-side authorization checks to ensure that users can only access their own data unless explicitly authorized.

• Enforce role-based access control (RBAC) on all user-related endpoints.
• Restrict users from viewing or manipulating other users' accounts unless they have administrative privileges.
• Avoid exposing sequential numeric identifiers in URLs that can be easily manipulated.
• Centralize access control logic to ensure consistent authorization checks across the application.

An example security check is to deny access if the current user ID does not match the requested user ID and the current user is not an administrator.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthorized access to sensitive user and operational data by low-privileged users, leading to exposure of personal and administrative account information. This unauthorized exposure of sensitive information can result in non-compliance with data protection regulations such as GDPR and HIPAA, which mandate strict controls on access to personal and sensitive data.

Specifically, the lack of proper authorization checks and improper access control could violate principles of data confidentiality and integrity required by these standards, potentially leading to legal and regulatory repercussions for the affected organization.

Useful 0 Not Useful 0