CVE ID: CVE-2025-61115
Vulnerability type: Incorrect Access Control
Product: ABC Fine Wine & Spirits (Android App)
**Package Name: **com.cta.abcfinewineandspirits
Version: 11.27.5
Vendor: ABC Liquors, Inc.
<aside> 💡
NOTE: We reported this issue via email on 2025-09-05. After more than 45 days without any response or remediation from the vendor, we are publishing this report on 2025-10-20 out of concern for transparency and user security. We remain open to cooperating with the vendor should they choose to respond in the future.
</aside>
The app does not verify the password during login. By modifying the password field to any value (e.g., “1”, even though the real password is not 1), it is still possible to log in and obtain a sessionid. Since subsequent operations use the sessionid for authentication, this allows logging into any account.