Project

General

Profile

Actions
Copy link

Bug #30217

open

Voucher URLs accessible without authentication

Added by Amala Raju 3 days ago.

Status:
For Review
Priority:
Normal
Assignee:
Christopher David
Category:
-
Target version:
-
Start date:
11/20/2025
Due date:
% Done:

0%

Estimated time:
remarks:
DB Changes:
Keys & Permissions:
Areas Affected:
Files Changed:

Description

Hotel and air voucher pages can currently be opened directly via URL without any login, allowing unauthorized access. By changing the transaction ID in the URL, users can view other customers’ records. These voucher URLs must be protected so that they are accessible only during an active authenticated session (for in-house agents, B2B agents, or end users). Unauthorized access should be fully blocked.

For Reference:
https://b2cadmin.almaqam.com//PHPMail/PropertyTicket?TransactionID=3143&TransactionDetailID=3143&TransactionTypeID=3&Culture=en&HidePrice=false&HidePolicy=true&IsFixedPackage=false

Files

Screenshot 2025-11-20 140022.png (112 KB) Screenshot 2025-11-20 140022.png Amala Raju, 11/20/2025 02:00 PM

No data to display

Actions
Copy link

Also available in: Atom PDF