Thousands of Oracle NetSuite e-commerce sites are vulnerable to exposing sensitive customer information due to misconfigured access controls.
Platform Affected: NetSuite’s SuiteCommerce platform, where misconfigured Custom Record Types (CRTs) can lead to data leakage.
Data Exposed: Full customer addresses and mobile phone numbers are at risk.
Cause: The problem stems from CRTs with “No Permission Required” access, which allows unauthenticated users to access data through NetSuite’s record and search APIs.
Requirements for Attack:
- Attackers need to know the names of the CRTs being used.
Mitigation Recommendations:
- Tighten access controls on CRTs.
- Set sensitive fields to “None” for public access.
- Consider taking affected sites offline temporarily.
- Change the Access Type of CRTs to “Require Custom Record Entries Permission” or “Use Permission List.”
Related Vulnerability: Cymulate has discovered a separate issue in Microsoft Entra ID that could allow attackers to bypass authentication and gain high-level access by exploiting pass-through authentication (PTA) agents in hybrid identity setups.
Impact of Entra ID Issue:
Potentially grants global admin access if such privileges are assigned.
Allows unauthorized access by mishandling authentication requests from different on-premises domains.
- Attackers need to know the names of the CRTs being used.
Mitigation Recommendations:
- Tighten access controls on CRTs.
- Set sensitive fields to “None” for public access.
- Consider taking affected sites offline temporarily.
- Change the Access Type of CRTs to “Require Custom Record Entries Permission” or “Use Permission List.”
Related Vulnerability: Cymulate has discovered a separate issue in Microsoft Entra ID that could allow attackers to bypass authentication and gain high-level access by exploiting pass-through authentication (PTA) agents in hybrid identity setups.
Impact of Entra ID Issue:
- Allows unauthorized access by mishandling authentication requests from different on-premises domains.
- Potentially grants global admin access if such privileges are assigned.