Home

Description

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges.

PUBLISHED Reserved 2025-12-15 | Published 2026-01-22 | Updated 2026-01-26 | Assigner icscert




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-472 External Control of Assumed-Immutable Web Parameter

Product status

Default status
unaffected

20200630 (custom) before 20241112
affected

Default status
unaffected

20200630 (custom) before 20241112
affected

Default status
unaffected

20220413 (custom) before 20240919
affected

Default status
unaffected

20230308 (custom) before 20250827
affected

Credits

Joel Aviad Ossi of WebSec B.V reported these vulnerabilities to CISA. finder

References

www.cisa.gov/news-events/ics-advisories/icsa-26-022-05 government-resource

cve.org (CVE-2025-14750)

nvd.nist.gov (CVE-2025-14750)

Download JSON