Impact
The /addJugador endpoint in the Assassin game allows an attacker with an authenticated session to modify critical parameters such as keyJugador, keyJugadorObjectiu, punts, numObjectiusEliminats, and tokens without any authorization checks. This enables the attacker to change other users’ identities, inflate scores, claim rewards, and self‑assign administrative privileges. Additionally, numeric fields permit extremely large values that can cause application crashes, providing a denial‑of‑service vector. The urlImatge parameter performs server‑side requests to arbitrary URLs, exposing the server to SSRF attacks, internal network enumeration, file disclosure, and unauthorized interaction with third‑party APIs. Together these weaknesses mean that a logged‑in attacker can hijack accounts, alter game outcomes, sabotage gameplay, and potentially gain broader network access.
Affected Systems
The vulnerable product is Gaudire Assassin game. No specific version information is provided.
Risk and Exploitability
The vulnerability has a CVSS score of 9.4, indicating critical severity. While no EPSS score is reported, the lack of mitigation makes exploitation highly likely if the attacker obtains a valid account. The flaw is not listed in CISA’s KEV catalog. Attack requires authentication and then exploits lack of validation and authorization checks, making it straightforward for anyone who can log in to the game to gain elevated privileges or disrupt operations.
OpenCVE Enrichment