SpiceJet Online Booking System
Summary
Two vulnerabilities have been identified in the SpiceJet Online Booking System, allowing unauthenticated users to bypass access controls. Exploitation could lead to the disclosure of sensitive passenger name records (PNRs) due to predictable identifiers and missing authorization checks.
IFF Assessment
The vulnerabilities allow attackers to access sensitive passenger data, posing a significant risk to privacy and potentially enabling further attacks.
Severity
The CVSS score of 7.5 indicates a 'High' severity. This is due to an exploitable Authorization Bypass Through User-Controlled Key (CWE-639) and Missing Authentication for Critical Function, allowing unauthorized access to sensitive information like PNRs.
Defender Context
Defenders should be aware of the potential for unauthorized access to travel booking systems, which can lead to PII disclosure. This highlights the importance of robust authentication and authorization mechanisms, especially in systems handling sensitive personal data within critical infrastructure like transportation.