Home

Description

Direct Object Reference Vulnerability (IDOR) in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in '/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas'.

PUBLISHED Reserved 2025-04-16 | Published 2025-12-10 | Updated 2025-12-10 | Assigner INCIBE




HIGH: 8.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status
unaffected

25.00 and 24.05.
affected

Credits

Félix Sánchez Medina finder

References

www.incibe.es/...secure-objects-idor-cronosweb-cronosweb-i2a

cve.org (CVE-2025-41358)

nvd.nist.gov (CVE-2025-41358)

Download JSON