CVE-2025-41020

EPSS 0.06%
Veröffentlicht 16.10.2025 07:59:06
Zuletzt bearbeitet 21.10.2025 13:12:13
Quelle cve-coordination@incibe.es
CVE-Watchlists
Login
Unerledigt
Login

Insecure direct object reference (IDOR) vulnerability in Sergestec's Exito v8.0. This vulnerability allows an attacker to access data belonging to other customers through the 'id' parameter in '/admin/ticket_a4.php'.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sergestec ≫ Exito Version8.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.177

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cve-coordination@incibe.es	7.1	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sergestec-products

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-41020

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-41020

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-41020

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-41020