Advisory

Date 2025-12-15
Risk High
Vulnerability Type Sensitive Data Disclosure
Affected Product UC eBanking Prime
Affected Versions confirmed with 6.1.0 and 6.2.0 <= 6.2.0.3
Fixed Version 6.2.0.3
Vendor Status Fixed
CVE ID pending
Permalink NSIDE-SA-2025-002

NSIDE ATTACK LOGIC discovered multiple vulnerabilities that may allow attackers to gain unauthorized access to the eBanking web interface, granting access to sensitive data such as account statements. The vulnerability described in this advisory is the disclosure of session IDs via a WebSocket connection.

Introduction

UC eBanking Prime is an on-premise electronic banking solution for business clients of HypoVereinsbank/UniCredit. It consists of a web application hosted in the client’s intranet and a desktop application used for authentication called OTC Client.

Description

UC eBanking Prime uses the messaging protocol STOMP over WebSockets to asynchronously exchange messages between the Prime server and the OTC Client desktop application. This mechanism is used for notifications, for example about logon and logoff events.

In order to receive notifications for a certain user, the desktop application connects to the HTTP(S) endpoint `/signatureClient/otc`, providing the user’s 12-character user ID in the HTTP header „UID“. It then subscribes to the STOMP topic `/user/topic`.

Once a user authenticates to the web application, a „login success“ message is broadcasted to subscribed clients. The message contains a STOMP header called „sessionId“ which contains the value of the JSESSIONID cookie for the associated web session.

Risk

Attackers with knowledge of a user ID and network access to the Prime server can subscribe to that user’s notifications. Once the user authenticates, the associated JSESSIONID is broadcasted to all subscribers, including the attacker. This grants the attacker an authenticated session and allows them to act on behalf of the user. While most user IDs are randomly generated, they are not treated as secrets. Additionally, the default administrator account has the user ID 111-111-111-111.

Solution/Mitigation

The vendor fixed this vulnerability in version 6.2.0.3 by broadcasting the SHA-256 hash value of the JSESSIONID instead. This is regarded as a solution for this vulnerability, as there is no practical way to take over a session given that information.

Affected users are therefore advised to update to version 6.2.0.3 or a more recent one.

Disclosure timeline

2025-03-27: Vulnerability identified during an engagement
2025-04-07: NSIDE’s client agrees to responsible disclosure process
2025-04-07: Vendor notified, requested secure communication channel
2025-04-07: Vendor demands report through client
2025-04-16: NSIDE submits report to vendor
2025-04-28: Asked vendor for update, vendor had not yet reviewed the report
2025-05-07: Asked vendor for update, vendor had not yet reviewed the report
2025-05-08: Vendor acknowledges report
2025-05-28: NSIDE informed vendor about publication deadline on July 17, 2025
2025-06-25: Vendor releases version 6.2.0.3 including the fix for this vulnerability
2025-12-15: Advisory and associated blog post published by NSIDE

Contact/Credits

The vulnerability was discovered during an assessment by Jonas Lieb of NSIDE ATTACK LOGIC GmbH.

Disclaimer

The information in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The most recent version of this security advisory can be found at NSIDE ATTACK LOGIC GmbH’s website (https://www.nsideattacklogic.de/).