CVE-2025-1270
Published: 13 February 2025
Description
Insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the “pkrelated” parameter in the “/h6web/ha_datos_hermano.php” endpoint to refer to another user. In addition, the first request could also allow the attacker to impersonate other users. As a result, all requests made after exploitation of the IDOR vulnerability will be executed with the privileges of the impersonated user.
Security Summary
CVE-2025-1270 is an Insecure Direct Object Reference (IDOR) vulnerability, mapped to CWE-639, in Anapi Group's h6web application. The issue affects the "/h6web/ha_datos_hermano.php" endpoint, where an authenticated attacker can modify the "pkrelated" parameter in a POST request to reference another user's data, enabling unauthorized access to other users' information.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows initial access to other users' information and impersonation via the first request. Subsequent requests are then executed with the privileges of the impersonated user, resulting in a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L), with high confidentiality impact, changed scope, and limited integrity and availability impacts.
INCIBE-CERT has published an advisory on multiple vulnerabilities in Anapi Group h6web, including CVE-2025-1270. Practitioners should refer to https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-anapi-group-h6web for details on mitigation strategies and any available patches.
Details
- CWE(s)