2025-05-28 10:54:46
INCIBE
PUBLISHED
A Missing Authorization vulnerability has been found in DinoRANK. This vulnerability allows an attacker to access invoices of any user via accessing endpoint /facturas/YYYY-MM/SDRYYMM-XXXXX.pdf because there is no access control. The pdf filename can be obtained via OSINT, insecure network traffic or brute force.