CVE 8.3 HIGH

Direct reference to insecure objects (IDOR) in CronosWeb from CronosWeb i2A_CVE-2025-41358

December 10, 2025 invoker category_cve
8.3 / 10
HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Description

Direct Object Reference Vulnerability (IDOR) in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the โ€˜documentCodeโ€™ parameter in '/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas'.

Basic Information

ID CVE-2025-41358
Source INCIBE
Published Dec 10, 2025 at 11:16

Affected Product

Vendor CronosWeb i2A
Product CronosWeb
Version 25.00 and 24.05.
Affected Versions CronosWeb i2A CronosWeb 25.00 and 24.05.

CWE Classification

CWE-639

References

๐Ÿ’ญ Join the Security Discussion

๐Ÿ”’ Your email address will not be published. Required fields are marked *

โš ๏ธ Please be respectful and constructive in your comments. Security discussions should remain professional.