Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Approach.App Multiple Vulnerabilities

High

Synopsis

Researchers at Tenable have discovered a number of security-related issues with the services offered by Approach.app – a management application for recreational facilities. 

 

Tenable made several efforts to contact the Approach.app / TileFive team, but never received any responses. As such, these issues still exist in the product. In order to avoid potential exploitation and negative impacts to end users that may be unaware of these issues, our researchers have elected not to post specific technical details at this time.

 

Issues discovered include, but are not limited to, the following:

  • Information disclosures regarding Customer PII
  • Customer account takeover
  • Manipulation of customer carts
  • Account verification bypass
  • Ability to update administrative profile attributes for customers and other users
  • Disclosure of private and facility-specific information, such as available existing promotional discount codes.
  • Disclosure of server-side source code

 

Solution

No solution for these issues is available at the time of this writing as the Approach.App / TileFive team never responded to Tenable's contact attempts.

Disclosure Timeline

March 4, 2024 - Tenable requests security contact from vendor via Approach.app Knowledgebase and support contacts.
March 11, 2024 - Tenable requests security contact from vendor via chatbot on Approach.app website and via cold contacts on LinkedIn.
March 18, 2024 - Tenable requests security contact from vendor via several email addresses known to be associated with the vendor.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2024-12
Affected Products:
Approach.App Customer Portals
Risk Factor:
High

Advisory Timeline

April 19, 2024 - Initial release.