CVE-2025-41099 | THREATINT

Description

Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to access to the list of permissions using unauthorised internal identifiers.

PUBLISHED Reserved 2025-04-16 | Published 2025-09-30 | Updated 2025-09-30 | Assigner INCIBE

HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status

unaffected

2.5.24

affected

Credits

Ángel González finder

References

www.incibe.es/...irect-object-reference-gps-bold-workplanner

cve.org (CVE-2025-41099)

nvd.nist.gov (CVE-2025-41099)

Download JSON