CVE-2025-2220
Published: 12 March 2025
Description
Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.
Security Summary
CVE-2025-2220 is a key management error vulnerability affecting Odyssey CMS versions up to 10.34. The issue resides in an unknown function within the file /modules/odyssey_contact_form/odyssey_contact_form.php, specifically the reCAPTCHA Handler component. Manipulation of the g-recaptcha-response argument triggers the flaw, classified under CWE-320 with a CVSS v3.1 base score of 3.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), indicating low severity primarily due to limited confidentiality impact.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows limited access to confidential information, such as the reCAPTCHA secret key, but does not impact integrity or availability.
Advisories from VulDB and a GitHub disclosure note that the exploit has been publicly released and may be actively used. The vendor was contacted early but provided no response, and no patches or mitigations are mentioned in available references. Security practitioners should review Odyssey CMS installations for hardcoded reCAPTCHA keys in the affected file and consider upgrading or implementing custom protections if feasible.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Hardcoded reCAPTCHA secret key in PHP file enables unsecured credentials discovery in files (T1552.001) and weakens encryption via poor key management/reduced key space (T1600.001).