7.5

CVE-2025-54599

Exploit

EPSS 0.06%
Veröffentlicht 02.09.2025 00:00:00
Zuletzt bearbeitet 10.09.2025 18:48:37
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

The Bevy Event service through 2025-07-22, as used for eBay Seller Events and other activities, allows account takeover, if SSO is used, when a victim changes the email address that they have configured. To exploit this, an attacker would create their own account and perform an SSO login. The root cause of the issue is SSO misconfiguration.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Bevy ≫ Events And Groups Version <= 2025-07-22

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.174

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://bevy.com/b/events-and-groups

Product

https://www.youtube.com/watch?v=wbmIvA09Ra8

Exploit

https://gist.github.com/deep1chil/558e8da919690a634bec684e7c4d0ffe

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-54599

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-54599

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-54599

EUVD