[+] Credits: Shahnawaz Shaikh, Security Researcher at Cybergate Defense LLC [+] twitter.com/_striv3r_ [Vendor] Autolib-india http://autolib-india.net/products.php [Product] AutoLib Software Systems OPAC Version.20.10 [Affected Component] main.js file [CVE Reference] CVE-2024-48310 [Security Issue] AutoLib Software Systems OPAC v20.10 was discovered to have multiple API keys exposed within the source code. Attackers may use these keys to access the backend API or other sensitive information. [Attack Vectors] After obtaining the API key, an attacker can use tools such as curl, Postman, or custom scripts to craft unauthorized requests to the target API. [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: September 10, 2024 Vendor released fixed: September 25, 2024