Vulnerability Lab researchers disclosed two upatched bugs in BMW domains and its ConnectedDrive portal that could allow remote attackers to bypass validation procedures and or inject malicious code.
A VIN (vehicle identification number) session validation flaw in the automaker’s ConnectDrive portal can be exploited with a low-privilege user account and lead to the manipulation of VIN numbers and configuration settings, according to a July 7 disclosure.
Researchers also discovered a client-side cross-site scripting (XSS) vulnerability on the BMW web domain in the password reset token system that could potentially leading to session hijacking, phishing campaigns, or diversion of users to malicious domains, according to a separate July 7 disclosure.
Vulnerability labs disclosed the flaws to BMW in February 2016 and the German automaker responded to the reports in April 2016.
SCMagazine.com attempted to reach BMW for comment but it has yet to respond.