CVE-2025-40645 | THREATINT

Description

Exposure of sensitive information in Viday. This vulnerability could allow an unauthenticated attacker to obtain sensitive information about customers by sending an HTTP GET request to “/api/reserva/web/clients” using the “phone” parameter.

PUBLISHED Reserved 2025-04-16 | Published 2025-10-02 | Updated 2025-10-02 | Assigner INCIBE

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status

unaffected

all versions

affected

Credits

Carolina Gómez Uriarte finder

Gema de la Fuente Romero finder

References

www.incibe.es/...otices/aviso/multiple-vulnerabilities-viday

cve.org (CVE-2025-40645)

nvd.nist.gov (CVE-2025-40645)

Download JSON