← volver
CVE-2026-53903

Insecure Direct Object Reference in MCO

CVSS 5.3 MEDIUMCWE-639
Vexday Risk Score
10Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 5.3EPSS KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
01 jul 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
MCO is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint. The application does not properly validate whether an authenticated user is authorized to access a requested document, allowing direct retrieval based on a user-supplied identifier. An attacker can access trading documents belonging to other users by providing a valid document ID. Although exploitation requires guessing the identifier, predictable ID patterns enable feasible enumeration, leading to unauthorized disclosure of sensitive information. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Productos afectados
MyComplianceOffice · MCO

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →