Select Page

Oracle NetSuite e-commerce sites are vulnerable to exposing sensitive customer information

CISSP

Thousands of Oracle NetSuite e-commerce sites are vulnerable to exposing sensitive customer information due to misconfigured access controls.

Platform Affected: NetSuite’s SuiteCommerce platform, where misconfigured Custom Record Types (CRTs) can lead to data leakage.

Data Exposed: Full customer addresses and mobile phone numbers are at risk.

Cause: The problem stems from CRTs with “No Permission Required” access, which allows unauthenticated users to access data through NetSuite’s record and search APIs.

Requirements for Attack:

  • Attackers need to know the names of the CRTs being used.

Mitigation Recommendations:

  • Tighten access controls on CRTs.
  • Set sensitive fields to “None” for public access.
  • Consider taking affected sites offline temporarily.
  • Change the Access Type of CRTs to “Require Custom Record Entries Permission” or “Use Permission List.”

Related Vulnerability: Cymulate has discovered a separate issue in Microsoft Entra ID that could allow attackers to bypass authentication and gain high-level access by exploiting pass-through authentication (PTA) agents in hybrid identity setups.

Impact of Entra ID Issue:

Potentially grants global admin access if such privileges are assigned.

Allows unauthorized access by mishandling authentication requests from different on-premises domains.

  • Attackers need to know the names of the CRTs being used.

Mitigation Recommendations:

  • Tighten access controls on CRTs.
  • Set sensitive fields to “None” for public access.
  • Consider taking affected sites offline temporarily.
  • Change the Access Type of CRTs to “Require Custom Record Entries Permission” or “Use Permission List.”

Related Vulnerability: Cymulate has discovered a separate issue in Microsoft Entra ID that could allow attackers to bypass authentication and gain high-level access by exploiting pass-through authentication (PTA) agents in hybrid identity setups.

Impact of Entra ID Issue:

  • Allows unauthorized access by mishandling authentication requests from different on-premises domains.
  • Potentially grants global admin access if such privileges are assigned.

Latest Post:

Pin It on Pinterest