{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5031", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-27T16:05:48.199Z", "datePublished": "2026-03-29T04:30:11.668Z", "dateUpdated": "2026-03-29T04:30:11.668Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-29T04:30:11.668Z"}, "title": "BichitroGan ISP Billing Software Endpoint users-view resource injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-99", "lang": "en", "description": "Improper Control of Resource Identifiers"}]}], "affected": [{"vendor": "BichitroGan", "product": "ISP Billing Software", "versions": [{"version": "2025.3.20", "status": "affected"}], "modules": ["Endpoint"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in BichitroGan ISP Billing Software 2025.3.20. Impacted is an unknown function of the file /?_route=settings/users-view/ of the component Endpoint. The manipulation of the argument ID results in improper control of resource identifiers. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-27T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-27T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-27T17:11:04.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "4m3rr0r (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/353953", "name": "VDB-353953 | BichitroGan ISP Billing Software Endpoint users-view resource injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/353953/cti", "name": "VDB-353953 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/778530", "name": "Submit #778530 | BichitroGan ISP Billing Software 2025.3.20 Insecure Direct Object Reference (IDOR) / Broken Access Control", "tags": ["third-party-advisory"]}, {"url": "https://github.com/4m3rr0r/PoCVulDb/issues/15", "tags": ["exploit", "issue-tracking"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in BichitroGan ISP Billing Software 2025.3.20. Impacted is an unknown function of the file /?_route=settings/users-view/ of the component Endpoint. The manipulation of the argument ID results in improper control of resource identifiers. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-5031", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-29T05:15:55.957", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/4m3rr0r/PoCVulDb/issues/15"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/778530"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/353953"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/353953/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-99"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2025.3.20"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ISP Billing Software", "source": "cna", "vendor": "BichitroGan"}, "product": "isp_billing_software", "vendor": "bichitrogan"}], "analysis": {"en": {"generated_at": "2026-03-29T06:20:32.651103+00:00", "value": {"mitigation_remediation": ["Verify whether a newer, patched version of BichitroGan ISP Billing Software exists and upgrade immediately if available", "Configure web application firewall or network rules to block access to the /?_route=settings/users-view/ endpoint from untrusted sources", "If customization is possible, enforce strict validation or whitelisting on the ID parameter for the affected route", "Monitor application logs for signs of unauthorized parameter manipulation or repeated failed requests to the vulnerable endpoint", "Contact BichitroGan support to request a formal fix and track communication for audit purposes"], "summary": {"action": "Apply Patch", "impact": "Resource injection leading to potential data exposure"}, "threat_synthesis": {"affected_systems": "This vulnerability applies only to the BichitroGan ISP Billing Software version 2025.3.20. No later, patched release is documented, so all installations of this specific version remain vulnerable.", "description_and_impact": "A flaw was detected in the 2025.3.20 release of BichitroGan ISP Billing Software affecting the Endpoint component\u2019s users\u2011view route. By manipulating the ID argument, an attacker can cause improper control of resource identifiers, enabling remote resource injection. The public exploit demonstrates that the weakness can be leveraged from outside the network, potentially allowing unauthorized access to or modification of billing or user data.", "risk_and_exploitability": "With a CVSS score of 5.3 the risk is moderate, yet the attack can reach end\u2011points remotely and the exploit is publicly available. Although EPSS data is missing and the issue is not listed in CISA\u2019s KEV catalog, the lack of a vendor response underscores the potential for unmitigated exposure if no interim controls are applied."}}}}, "created": "2026-03-29T20:31:46.823273+00:00", "updated": "2026-03-30T06:58:38.622578+00:00", "vendors": ["bichitrogan", "bichitrogan$PRODUCT$isp_billing_software"]}