CVE-2023-31293
Description
Sesami CPTO 6.3.8.6 allows remote attackers to access the journal despite the option being disabled due to improper access control.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sesami CPTO 6.3.8.6 allows remote attackers to access the journal despite the option being disabled due to improper access control.
Vulnerability
The vulnerability is an improper access control issue (CWE-284) in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718) [1]. A reader system user can access the journal even when this feature has been disabled in the reader's profile [1].
Exploitation
The attacker needs to be authenticated as a reader system user and have access to the web browser interface. No special privileges beyond a standard reader account are required [1]. The attacker simply navigates to the journal functionality, which should be inaccessible, but due to broken access control, the journal is displayed [1].
Impact
A remote attacker with reader-level access can bypass profile restrictions and gain unauthorized access to sensitive information contained in the journal, leading to information disclosure [1]. The journal may contain transaction logs or other operational data [1].
Mitigation
The vendor has acknowledged the vulnerability and users should update CPTO to the current version, which contains a fix [1]. As per the advisory, the fix was available before publication [1]. There is no mention of the vulnerabilty being listed on the CISA KEV. No workarounds are documented [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sesami/Cash Point & Transport Optimizerdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper access control allows a Reader user to access the journal feature despite it being disabled for that profile."
Attack vector
An attacker with Reader system user credentials can access the journal in the web browser even though the administrator has disabled the journal option for that profile [ref_id=1]. The vulnerability is triggered through the web interface by navigating to the journal view; no special payload or network manipulation is required beyond normal authenticated access [CWE-284]. The root cause is improper access control enforcement on the server side, as the client-side or profile-based disablement is not respected.
Affected code
The advisory does not specify particular functions, files, or code paths. It identifies the product as Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718) and states that the Reader system user's web browser improperly allows access to the journal feature [ref_id=1].
What the fix does
The advisory states the vendor has fixed the issue and recommends users update CPTO to its current version [ref_id=1]. No patch diff is provided. The general remediation guidance advises implementing a thorough access control matrix to define which user types can access which features, ensuring server-side enforcement of profile restrictions [ref_id=1].
Preconditions
- authAttacker must have valid Reader system user credentials for the CPTO application.
- configThe administrator must have disabled the journal feature for the Reader profile (the bypassed restriction).
- networkAttacker must have network access to the CPTO web interface.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.