CVE-2025-2306 | THREATINT

Description

An Improper Access Control vulnerability was identified in the file download functionality. This vulnerability allows users to download sensitive documents without authentication, if the URL is known. The attack requires the attacker to know the documents UUIDv4.

PUBLISHED Reserved 2025-03-14 | Published 2025-05-16 | Updated 2025-05-16 | Assigner cirosec

MEDIUM: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-284 Improper Access Control

Product status

Default status

unaffected

3 (semver) before 5.4.12

affected

5.5 (semver) before 5.5.4

affected

5.6 (semver) before 5.6.3

affected

Timeline

2025-03-04:	Vendor was contacted and informed about the vulnerability via email.
2025-03-04:	Initial response received from vendor. Vendor acknowledged the vulnerability.
2025-03-12:	Vendor informed us that the issue was resolved.

Credits

Felix Schmid <felix.schmid@cirosec.de> finder

References

www.cirosec.de/sa/sa-2025-004

cve.org (CVE-2025-2306)

nvd.nist.gov (CVE-2025-2306)

Download JSON