CVE-2018-14328

Vulnerability

Brynamics "Online Trade - Online trading and cryptocurrency investment system" version 1 fails to enforce authentication on several endpoints, allowing unauthenticated remote attackers to obtain sensitive information. The vulnerable paths include /dashboard/addplan, /dashboard/paywithcard/charge, /dashboard/withdrawal, and /privacy&terms. A direct request to these endpoints triggers a server response that leaks database username, database password, database name, and internal IP address fields [1]. This is a related issue to CVE-2018-12908.

Exploitation

An attacker requires no authentication, no special privileges, and only network access to the target web application. By sending a crafted POST request to /dashboard/withdrawal (or any of the listed endpoints) with arbitrary form data, the server returns a 500 error that includes stack traces and configuration details in the response body [1]. No user interaction is needed beyond sending the request.

Impact

Successful exploitation results in disclosure of sensitive configuration data, including database credentials and internal network topology (IP address). The confidentiality impact is partial, as the attacker gains credentials that could be used for further attacks against the database server. There is no integrity or availability impact from this vulnerability itself [1].

Mitigation

No official patch has been published for Online Trade version 1 as of 2018-07-23. The vendor homepage on CodeCanyon [1] may offer updates after the disclosure. Until a fix is applied, administrators should restrict access to the affected endpoints via web server rules, disable error details in production, and rotate any exposed credentials. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.