CVE Catalog

CVE-2026-53903

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

An IDOR vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint allows unauthorized access to other users' trading documents. The lack of authorization validation enables document retrieval based on a user-supplied identifier, which can be easily guessed.

Risk Assessment

The risk involves potential leakage of sensitive trading data, such as invoices or transaction statements, which could lead to financial losses and confidentiality breaches.

Recommendation

Immediately update the MCO system to the latest available version if a patch is released, or implement temporary mitigations such as application-level access controls and randomized document identifiers.

Original NVD description (English source)

MCO is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint. The application does not properly validate whether an authenticated user is authorized to access a requested document, allowing direct retrieval based on a user-supplied identifier. An attacker can access trading documents belonging to other users by providing a valid document ID. Although exploitation requires guessing the identifier, predictable ID patterns enable feasible enumeration, leading to unauthorized disclosure of sensitive information. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS