login to any user's cashier account and full account information disclosure

The vulnerability lies in the cashier functionality where the PIN parameter inside the `` source URL is used to identify a user's account. Since this parameter is not properly validated server-side, an attacker can change its value to another user's account ID. Doing so grants unauthorized access to the victim’s cashier account, exposing sensitive PII such as full name, email, and phone number, and allowing account takeover. This is an Insecure Direct Object Reference (IDOR) leading to full compromise of user accounts and sensitive data disclosure. This summary was generated by AI