{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "cerebrate", "vendor": "cerebrate", "versions": [{"lessThan": "1.30", "status": "affected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "ENISA"}, {"lang": "en", "type": "remediation developer", "value": "Sami Mokaddem"}, {"lang": "en", "type": "coordinator", "value": "Alexandre Dulaunoy"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Privilege escalation in <code>UsersController::edit</code> in Cerebrate Project (until version v1.29) allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying <code>role_id</code>/<code>organisation_id</code> fields in the edit request."}], "value": "Privilege escalation in UsersController::edit in Cerebrate Project (until version v1.29) allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id/organisation_id fields in the edit request."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html"}]}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.4, "baseSeverity": "CRITICAL", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"url": "https://github.com/cerebrate-project/cerebrate/commit/c9bfa90abc85d4a20a9cc2f282959b72bef829bb"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html"}]}], "source": {"discovery": "UNKNOWN"}, "title": "Privilege escalation in Cerebrate allows an authenticated non-privileged user to escalate their privileges", "x_generator": {"engine": "Vulnogram 0.2.0"}}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "cveId": "CVE-2025-66385", "datePublished": "2025-11-12T08:15:00.000Z", "dateUpdated": "2025-11-28T07:22:08.205835Z", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2025-0017", "vulnerabilitylookup_history": [["alexandre.dulaunoy@circl.lu", "2025-11-12T08:15:46.336994Z"], ["alexandre.dulaunoy@circl.lu", "2025-11-28T07:20:30.439115Z"], ["alexandre.dulaunoy@circl.lu", "2025-11-28T07:22:08.205835Z"]]}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}