We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-48881

Valtimo backend libraries allows objects in the object-api to be accessed and modified by unauthorized users



Description

Valtimo is a platform for Business Process Automation. In versions starting from 11.0.0.RELEASE to 11.3.3.RELEASE and 12.0.0.RELEASE to 12.12.0.RELEASE, all objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by unauthorised users. If object-urls are exposed via other channels, the contents of these objects can be viewed independent of object-management configurations. This issue has been patched in version 12.13.0.RELEASE. A workaround for this issue involves overriding the endpoint security as defined in ObjectenApiHttpSecurityConfigurer and ObjectManagementHttpSecurityConfigurer. Depending on the implementation, this could result in loss of functionality.

Reserved 2025-05-27 | Published 2025-05-30 | Updated 2025-06-04 | Assigner GitHub_M


HIGH: 8.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Problem types

CWE-863: Incorrect Authorization

Product status

>= 11.0.0.RELEASE, <= 11.3.3.RELEASE
affected

>= 12.0.0.RELEASE, < 12.13.0.RELEASE
affected

References

github.com/...raries/security/advisories/GHSA-965r-9cg9-g42p

github.com/...ommit/6ab04b30d3dab816bfea32d40ba50e5dd4517272

cve.org (CVE-2025-48881)

nvd.nist.gov (CVE-2025-48881)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-48881

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.