CVE-2025-2589
Published: 21 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-2589 is an improper authorization vulnerability affecting code-projects Human Resource Management System version 1.0.1. The flaw exists in the Index function within the file \handler\Account.go, where manipulation of the user_cookie argument enables unauthorized access. Classified as critical, it is associated with CWEs-266 (Incorrect Privilege Assignment), CWE-285 (Improper Authorization), and CWE-862 (Missing Authorization), with a CVSS 3.1 base score of 5.5.
Exploitation requires low privileges (PR:L) and access from an adjacent network (AV:A), with low attack complexity (AC:L) and no user interaction (UI:N). An attacker can achieve limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) in an unchanged scope (S:U), potentially bypassing authorization controls through the manipulated parameter.
The exploit has been publicly disclosed and may be used, as noted in the vulnerability description. Mitigation details, patches, or further advisories are referenced at https://code-projects.org/, https://github.com/38279/1/issues/1, https://vuldb.com/?ctiid.300569, https://vuldb.com/?id.300569, and https://vuldb.com/?submit.517343; security practitioners should consult these for updates. The vulnerability was published on 2025-03-21T13:15:34.830.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Improper authorization via user_cookie manipulation in the Account handler allows a low-privileged attacker on an adjacent network to bypass controls and gain unauthorized access, directly enabling exploitation for privilege escalation.