CVE-2025-1270

Published Feb 13, 2025

Last updated 10 days ago

CVSS critical 9.1

Overview

Description
Insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the “pkrelated” parameter in the “/h6web/ha_datos_hermano.php” endpoint to refer to another user. In addition, the first request could also allow the attacker to impersonate other users. As a result, all requests made after exploitation of the IDOR vulnerability will be executed with the privileges of the impersonated user.
Source
cve-coordination@incibe.es
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.1
Impact score
5.3
Exploitability score
3.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Severity
CRITICAL

Weaknesses

cve-coordination@incibe.es
CWE-639

Social media

Hype score
Not currently trending

  1. ⚠️#INCIBEaviso | Múltiples vulnerabilidades en #h6web de Grupo Anapi #CVE CVE-2025-1270 y CVE-2025-1271 https://t.co/68rJXmsPj1 #AvisosDeSeguridad #TI #CNA https://t.co/KnN6lPKrv7

    @incibe_cert

    13 Feb 2025

    406 Impressions

    2 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References