CVE-2026-9493
Insecure Direct Object Reference in BankPro E-Service Service Center
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: TWCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bankpro_e_service_technology | service_center | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9493 is an Insecure Direct Object Reference (IDOR) vulnerability in the Service Center software developed by BankPro E-Service Technology.
This flaw allows authenticated remote attackers to manipulate parameters in a specific query function to access other users' e-commerce (EC) order details.
How can this vulnerability impact me? :
The vulnerability allows attackers who have authenticated access to the system to view other users' EC order information by modifying query parameters.
This can lead to unauthorized disclosure of sensitive order details, potentially compromising user privacy and trust.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been addressed with a server-side patch.
No action is required from users to mitigate this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.