CVE-2025-41077 | THREATINT

Description

IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the user's email addresses to be modified and, subsequently, using the password recovery functionality to access the application by impersonating any user, including those with administrative permissions.

PUBLISHED Reserved 2025-04-16 | Published 2026-01-12 | Updated 2026-01-12 | Assigner INCIBE

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status

unaffected

v4.5.13

affected

Credits

Carlos Aguadé Cabañas finder

References

www.incibe.es/.../multiple-vulnerabilities-viafirma-products

cve.org (CVE-2025-41077)

nvd.nist.gov (CVE-2025-41077)

Download JSON