CVE-2026-9493

Vulnerability

Service Center developed by BankPro E-Service Technology contains an Insecure Direct Object Reference (IDOR) vulnerability (TVN-202605002). The flaw exists in a specific query function where the application does not properly validate whether an authenticated user is authorized to access the requested resource. An attacker can modify the parameter of this query function to retrieve EC order details belonging to other users. The affected product is Service Center, and the issue is rated as CVSS 6.5 (Medium) [1][2].

Exploitation

An attacker must be authenticated to the Service Center web application. The attacker then crafts a request to the vulnerable query function, altering the parameter value (likely an order identifier) to enumerate or guess valid IDs belonging to other users. No additional privileges or user interaction are required, as the function does not enforce proper access control checks on the server [2].

Impact

A successful attack results in the unauthorized disclosure of other users' EC order details, which may include sensitive personal or transactional data. The vulnerability impacts confidentiality (C) but does not affect integrity (I) or availability (A) [2].

Mitigation

The vendor has patched the vulnerability server-side. According to the advisory, the fix is applied on the backend, and users do not need to take any action [2]. No workarounds or additional steps are necessary.