CVE-2025-2271
Published: 13 March 2025
Description
Adversaries may leverage information repositories to mine valuable information.
Security Summary
CVE-2025-2271 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting the audit component in Issuetrak versions 17.2.2 and prior. It stems from improper access controls that enable a low-privileged user to access audit results belonging to other users. This exposure includes sensitive information such as user details, network and hardware data, installed programs, running processes, drives, and printers. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and low attack complexity.
A low-privileged authenticated user can exploit this vulnerability remotely without user interaction by manipulating object references in the audit component. Successful exploitation allows the attacker to retrieve audit data from other users' activities, leading to unauthorized data exposure, privacy violations, and potential security risks through the disclosure of system configuration details.
Mitigation details are available in the Issuetrak release notes at https://helpcenter.issuetrak.com/home/2340-issuetrak-release-notes.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The IDOR vulnerability in the audit component directly enables unauthorized access to other users' audit data (including system details, processes, and configurations) stored in the application's information repository.