Customer Data Exposure via Insecure Endpoint of coupon

A security vulnerability is identified in the Royal Canin Greece website (██████). An insecure API endpoint is exposed that allows unauthorized access to customer information without requiring authentication. The endpoint in question is related to coupon functionality and reveals sensitive customer data including company names, phone numbers, email addresses, tokens, and coupon details. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a medium severity rating (CVSS score 5.7). By simply modifying a parameter in the request, information belonging to different customers can be accessed, enabling potential enumeration of all coupon data through basic parameter manipulation. This security flaw presents a significant risk to user privacy and data security as it allows sensitive information to be accessed by unauthorized parties.