CVE-2025-1270

Published Feb 13, 2025

Last updated 2 months ago

CVSS critical 9.1

Overview

Description
Insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the “pkrelated” parameter in the “/h6web/ha_datos_hermano.php” endpoint to refer to another user. In addition, the first request could also allow the attacker to impersonate other users. As a result, all requests made after exploitation of the IDOR vulnerability will be executed with the privileges of the impersonated user.
Source
cve-coordination@incibe.es
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.1
Impact score
5.3
Exploitability score
3.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Severity
CRITICAL

Weaknesses

cve-coordination@incibe.es
CWE-639

Social media

Hype score
Not currently trending

  1. ⚠️#INCIBEaviso | Múltiples vulnerabilidades en #h6web de Grupo Anapi #CVE CVE-2025-1270 y CVE-2025-1271 https://t.co/68rJXmsPj1 #AvisosDeSeguridad #TI #CNA https://t.co/KnN6lPKrv7

    @incibe_cert

    13 Feb 2025

    406 Impressions

    2 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References