Vulnerability Lab researchers have disclosed two unpatched bugs in BMW domains and its ConnectedDrive portal that could allow remote attackers to bypass validation procedures or inject malicious code.
A VIN (vehicle identification number) session validation flaw in the automaker's ConnectDrive portal can be exploited with a low-privilege user account and lead to the manipulation of VIN numbers and configuration settings, according to a July 7 disclosure.
Researchers also discovered a client-side cross-site scripting (XSS) vulnerability on the BMW web domain in the password reset token system that could potentially leading to session hijacking, phishing campaigns, or diversion of users to malicious domains, according to a separate, July 7 disclosure.
Vulnerability labs disclosed the flaws to BMW in February 2016 and the German automaker responded to the reports in April 2016.
SCMagazine.com attempted to reach BMW for comment but the company has yet to respond.