SpiceJet Online Booking System
Severity: Low · Kind: Advisory
We've ingested this item but haven't summarised it yet. Read the upstream advisory using the link below in the meantime — the AI summary will appear here once the next run completes.
From the source
View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information. The following versions of SpiceJet Online Booking System are affected: Online Booking System vers:all/* (CVE-2026-6375, CVE-2026-6376) CVSS Vendor Equipment Vulnerabilities v3 7.5 SpiceJet SpiceJet Online Booking System Authorization Bypass Through User-Controlled Key, Missing Authentication for Critical Function Background Critical Infrastructure Sectors: Transportation Systems Countries/Areas Deployed: Worldwide Company Headquarters Location: India Vulnerabilities Expand All + CVE-2026-6375 A vulnerability in SpiceJet's booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access. View CVE Details Affected Products SpiceJet Online Booking System Vendor: SpiceJet Product Version: SpiceJet Online Booking System: vers:all/* Product Status: known_affected Remediations Mitigation SpiceJet did not respond to CISA's requests to coordinate. Users are encouraged to reach out to SpiceJet for more information: https://corporate.spicejet.com/contactus.aspx https://corporate.spicejet.com/contactus.aspx Relevant CWE: CWE-639 Authorization Bypass Through U
Was this useful?
Plain-English summaries are AI-generated and reviewed for tone, not technical accuracy. For incident response, always rely on the original source linked above.