CVE-2025-0637

Critical

Published: 23 January 2025

Published

23 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0025 48.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

It has been found that the Beta10 software does not provide for proper authorisation control in multiple areas of the application. This deficiency could allow a malicious actor, without authentication, to access private areas and/or areas intended for other roles. The vulnerability has been identified at least in the file or path ‘/app/tools.html’.

Security Summary

CVE-2025-0637 is an improper authorization vulnerability (CWE-287) in the Beta10 software, where multiple areas of the application lack proper access controls. This deficiency allows unauthorized access to private areas or sections intended for specific roles, with the issue identified at least in the path '/app/tools.html'. The vulnerability received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-01-23.

A remote attacker requires no authentication, privileges, or user interaction to exploit this over the network with low complexity. Successful exploitation grants the malicious actor access to restricted areas, enabling high-impact compromise of confidentiality, integrity, and availability as indicated by the CVSS metrics.

The INCIBE-CERT advisory provides further details on the inadequate access control issue in Beta10 at https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-beta10.

Details

CWE(s): CWE-287

References

https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-beta10
cve-coordination@incibe.es