This would have (and probably has) allowed for a malicious attacker to drain any account that is behind the application. To make things worse, this is a shockingly simple vulnerability, which should have been picked up by simple bounds testing before application release.

This vulnerability has been patched in the April 2016 CPU, users of the banking application should update their sites as soon as possible. The developer was notified in January 2016. Non-authenticated, remote users can exploit this.

Classification / Timeline


Type Authentication
OWASP Top 10 A2: Broken Authentication and Session Management
CVSS Score 9.1
CV/E-Number CVE-2016-0699


Vendor Notified 29-01-2016
Vendor Patch 19-04-2016
Publicly Published 19-04-2016
Last Updated 19-04-2016