CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CVE-2025-2230 (GCVE-0-2025-2230)
Vulnerability from cvelistv5 – Published: 2025-03-13 18:14 – Updated: 2025-03-17 20:05
VLAI
Title
Philips Intellispace Cardiovascular (ISCV) Improper Authentication
Summary
A flaw exists in the Windows login flow where an AuthContext token can
be exploited for replay attacks and authentication bypass.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Philips | Intellispace Cardiovascular (ISCV) |
Affected:
0 , ≤ 5.1
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2230",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-13T19:33:45.514056Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T19:34:02.967Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Intellispace Cardiovascular (ISCV)",
"vendor": "Philips",
"versions": [
{
"lessThanOrEqual": "5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joe Dillon reported these vulnerabilities to Philips."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A flaw exists in the Windows login flow where an AuthContext token can \nbe exploited for replay attacks and authentication bypass."
}
],
"value": "A flaw exists in the Windows login flow where an AuthContext token can \nbe exploited for replay attacks and authentication bypass."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T20:05:56.939Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-072-01"
},
{
"url": "https://www.philips.com/a-w/security/security-advisories.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePhilips recommends the following mitigations:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eResolved in ISCV 5.2, which was released in September 2020.\u003c/span\u003e\n\n\u003c/li\u003e\n\n\u003cli\u003ePhilips recommends users upgrade ISCV installed base to the latest \nISCV version (at the time of this publication is 830089 \u2013 IntelliSpace \nCardiovacular 8.0.0.0)\u003c/li\u003e\n\u003cli\u003ePlease contact a local Philips sales (service) representative to learn how to engage this upgrade process.\u003c/li\u003e\n\u003cli\u003eFor managed services users, new releases will be made available upon\n resource availability. Releases are subject to country-specific \nregulations.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eRefer to the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.philips.com/a-w/security/security-advisories.html\"\u003ePhilips advisory\u003c/a\u003efor more details.\n\n\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Philips recommends the following mitigations:\n\n\n\n * \n\nResolved in ISCV 5.2, which was released in September 2020.\n\n\n\n\n * Philips recommends users upgrade ISCV installed base to the latest \nISCV version (at the time of this publication is 830089 \u2013 IntelliSpace \nCardiovacular 8.0.0.0)\n\n * Please contact a local Philips sales (service) representative to learn how to engage this upgrade process.\n\n * For managed services users, new releases will be made available upon\n resource availability. Releases are subject to country-specific \nregulations.\n\n\n\n\nRefer to the Philips advisory https://www.philips.com/a-w/security/security-advisories.html for more details."
}
],
"source": {
"advisory": "ICSMA-25-072-01",
"discovery": "EXTERNAL"
},
"title": "Philips Intellispace Cardiovascular (ISCV) Improper Authentication",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-2230",
"datePublished": "2025-03-13T18:14:43.573Z",
"dateReserved": "2025-03-11T20:14:50.017Z",
"dateUpdated": "2025-03-17T20:05:56.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22375 (GCVE-0-2025-22375)
Vulnerability from cvelistv5 – Published: 2025-04-10 11:02 – Updated: 2025-04-10 13:18
VLAI
Title
Authentication Bypass in CyberAudit-Web
Summary
An authentication bypass vulnerability was found in Videx's CyberAudit-Web. Through the exploitation of a logic flaw, an attacker could create a valid session without any credentials. This vulnerability has been patched in versions later than 9.5 and a patch has been made available to all instances of CyberAudit-Web, including the versions that are End of Maintenance (EOM). Anyone that requires support with the resolution of this issue can contact support@videx.com for assistance.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://csirt.divd.nl/CVE-2025-22375 | third-party-advisory |
| https://csirt.divd.nl/DIVD-2024-00043/ | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Videx Inc. | CyberAudit-Web |
Affected:
<= 9.5
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22375",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T13:09:37.581013Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T13:18:18.627Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberAudit-Web",
"vendor": "Videx Inc.",
"versions": [
{
"status": "affected",
"version": "\u003c= 9.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hidde Smit (DIVD)"
},
{
"lang": "en",
"type": "finder",
"value": "Wietse Boonstra (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Max van der Horst (DIVD)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn authentication bypass vulnerability was found in Videx\u0027s CyberAudit-Web. Through the exploitation of a logic flaw, an attacker could create a valid session without any credentials. This vulnerability has been patched in versions later than 9.5 and a patch has been made available to all instances of CyberAudit-Web, including the versions that are End of Maintenance (EOM). Anyone that requires support with the resolution of this issue can contact support@videx.com for assistance.\u003c/p\u003e"
}
],
"value": "An authentication bypass vulnerability was found in Videx\u0027s CyberAudit-Web. Through the exploitation of a logic flaw, an attacker could create a valid session without any credentials. This vulnerability has been patched in versions later than 9.5\u00a0and a patch has been made available to all instances of CyberAudit-Web, including the versions that are End of Maintenance (EOM). Anyone that requires support with the resolution of this issue can contact support@videx.com for assistance."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/AU:Y/R:A/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T11:02:46.646Z",
"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"shortName": "DIVD"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/CVE-2025-22375"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/DIVD-2024-00043/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Authentication Bypass in CyberAudit-Web",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"assignerShortName": "DIVD",
"cveId": "CVE-2025-22375",
"datePublished": "2025-04-10T11:02:46.646Z",
"dateReserved": "2025-01-03T14:56:05.687Z",
"dateUpdated": "2025-04-10T13:18:18.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22477 (GCVE-0-2025-22477)
Vulnerability from cvelistv5 – Published: 2025-05-06 16:03 – Updated: 2026-02-26 18:28
VLAI
Summary
Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges.
Severity
8.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00031731… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | Dell Storage Center - Dell Storage Manager |
Affected:
N/A , < 2020 R1.21
(semver)
|
Date Public
2025-05-05 17:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22477",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T03:56:13.261184Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T18:28:52.103Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Dell Storage Center - Dell Storage Manager",
"vendor": "Dell",
"versions": [
{
"lessThan": "2020 R1.21",
"status": "affected",
"version": "N/A",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dell would like to thank sradulea or reporting this issue."
}
],
"datePublic": "2025-05-05T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges.\u003cbr\u003e"
}
],
"value": "Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T16:03:29.485Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000317318/dsa-2025-191-security-update-for-storage-center-dell-storage-manager-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2025-22477",
"datePublished": "2025-05-06T16:03:29.485Z",
"dateReserved": "2025-01-07T06:04:12.135Z",
"dateUpdated": "2026-02-26T18:28:52.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-2339 (GCVE-0-2025-2339)
Vulnerability from cvelistv5 – Published: 2025-03-16 13:00 – Updated: 2025-03-17 14:31 Unsupported When Assigned
VLAI
Title
otale Tale Blog logs improper authentication
Summary
A vulnerability was found in otale Tale Blog 2.0.5. It has been classified as problematic. This affects an unknown part of the file /%61dmin/api/logs. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.
Severity
5.3 (Medium)
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.299805 | vdb-entry |
| https://vuldb.com/?ctiid.299805 | signaturepermissions-required |
| https://vuldb.com/?submit.511578 | third-party-advisory |
| https://github.com/qkdjksfkeg/cve_article/blob/ma… | exploit |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2339",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T14:31:29.274118Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T14:31:33.262Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/qkdjksfkeg/cve_article/blob/main/Tale/Unauthorized.md"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Tale Blog",
"vendor": "otale",
"versions": [
{
"status": "affected",
"version": "2.0.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "yitclara (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in otale Tale Blog 2.0.5. It has been classified as problematic. This affects an unknown part of the file /%61dmin/api/logs. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in otale Tale Blog 2.0.5 ausgemacht. Sie wurde als problematisch eingestuft. Es betrifft eine unbekannte Funktion der Datei /%61dmin/api/logs. Dank der Manipulation mit unbekannten Daten kann eine improper authentication-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-16T13:00:07.828Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-299805 | otale Tale Blog logs improper authentication",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.299805"
},
{
"name": "VDB-299805 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.299805"
},
{
"name": "Submit #511578 | Tale Blog Tale v2.0.5 Exposure of Sensitive System Information to an Unauthorized Cont",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.511578"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/qkdjksfkeg/cve_article/blob/main/Tale/Unauthorized.md"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2025-03-15T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-03-15T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-03-15T16:08:28.000Z",
"value": "VulDB entry last update"
}
],
"title": "otale Tale Blog logs improper authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-2339",
"datePublished": "2025-03-16T13:00:07.828Z",
"dateReserved": "2025-03-15T15:03:11.761Z",
"dateUpdated": "2025-03-17T14:31:33.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2344 (GCVE-0-2025-2344)
Vulnerability from cvelistv5 – Published: 2025-03-16 18:00 – Updated: 2025-03-17 14:17
VLAI
Title
IROAD Dash Cam X5/Dash Cam X6 API Endpoint missing authentication
Summary
A vulnerability, which was classified as critical, has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
5.3 (Medium)
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.299810 | vdb-entry |
| https://vuldb.com/?ctiid.299810 | signaturepermissions-required |
| https://vuldb.com/?submit.516882 | third-party-advisory |
| https://github.com/geo-chen/IROAD#finding-4-remot… | related |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| IROAD | Dash Cam X5 |
Affected:
20250308
|
|
| IROAD | Dash Cam X6 |
Affected:
20250308
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2344",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T14:17:05.273310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T14:17:13.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"API Endpoint"
],
"product": "Dash Cam X5",
"vendor": "IROAD",
"versions": [
{
"status": "affected",
"version": "20250308"
}
]
},
{
"modules": [
"API Endpoint"
],
"product": "Dash Cam X6",
"vendor": "IROAD",
"versions": [
{
"status": "affected",
"version": "20250308"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "geochen (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as critical, has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine kritische Schwachstelle wurde in IROAD Dash Cam X5 and Dash Cam X6 bis 20250308 entdeckt. Davon betroffen ist unbekannter Code der Komponente API Endpoint. Mittels dem Manipulieren mit unbekannten Daten kann eine missing authentication-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-16T18:00:07.198Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-299810 | IROAD Dash Cam X5/Dash Cam X6 API Endpoint missing authentication",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.299810"
},
{
"name": "VDB-299810 | CTI Indicators (IOB, IOC)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.299810"
},
{
"name": "Submit #516882 | IROAD Dashcam X series (X5, X6, etc) Missing Authentication",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.516882"
},
{
"tags": [
"related"
],
"url": "https://github.com/geo-chen/IROAD#finding-4-remotely-dump-video-footage-and-live-video-stream"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-15T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-03-15T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-03-15T19:27:53.000Z",
"value": "VulDB entry last update"
}
],
"title": "IROAD Dash Cam X5/Dash Cam X6 API Endpoint missing authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-2344",
"datePublished": "2025-03-16T18:00:07.198Z",
"dateReserved": "2025-03-15T18:22:24.835Z",
"dateUpdated": "2025-03-17T14:17:13.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2388 (GCVE-0-2025-2388)
Vulnerability from cvelistv5 – Published: 2025-03-17 18:00 – Updated: 2025-03-17 18:34
VLAI
Title
Keytop 路内停车收费系统 API getParks improper authentication
Summary
A vulnerability was found in Keytop 路内停车收费系统 2.7.1. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /saas/commonApi/park/getParks of the component API. The manipulation leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.299887 | vdb-entry |
| https://vuldb.com/?ctiid.299887 | signaturepermissions-required |
| https://vuldb.com/?submit.516710 | third-party-advisory |
| https://github.com/K-mxredo/MXdocument/wiki | exploit |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2388",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T18:32:17.289756Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T18:34:14.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"API"
],
"product": "\u8def\u5185\u505c\u8f66\u6536\u8d39\u7cfb\u7edf",
"vendor": "Keytop",
"versions": [
{
"status": "affected",
"version": "2.7.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "SecHZredo (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Keytop \u8def\u5185\u505c\u8f66\u6536\u8d39\u7cfb\u7edf 2.7.1. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /saas/commonApi/park/getParks of the component API. The manipulation leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "In Keytop \u8def\u5185\u505c\u8f66\u6536\u8d39\u7cfb\u7edf 2.7.1 wurde eine kritische Schwachstelle ausgemacht. Betroffen ist eine unbekannte Verarbeitung der Datei /saas/commonApi/park/getParks der Komponente API. Mittels dem Manipulieren mit unbekannten Daten kann eine improper authentication-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T18:00:05.264Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-299887 | Keytop \u8def\u5185\u505c\u8f66\u6536\u8d39\u7cfb\u7edf API getParks improper authentication",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.299887"
},
{
"name": "VDB-299887 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.299887"
},
{
"name": "Submit #516710 | Keytop \u8def\u5185\u505c\u8f66\u6536\u8d39\u7cfb\u7edf V2.7.1 Sensitive Data Exposure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.516710"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/K-mxredo/MXdocument/wiki"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-16T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-03-16T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-03-16T18:23:20.000Z",
"value": "VulDB entry last update"
}
],
"title": "Keytop \u8def\u5185\u505c\u8f66\u6536\u8d39\u7cfb\u7edf API getParks improper authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-2388",
"datePublished": "2025-03-17T18:00:05.264Z",
"dateReserved": "2025-03-16T17:18:17.747Z",
"dateUpdated": "2025-03-17T18:34:14.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24032 (GCVE-0-2025-24032)
Vulnerability from cvelistv5 – Published: 2025-02-10 15:43 – Updated: 2025-05-21 15:48
VLAI
Title
PAM-PKCS#11 vulnerable to authentication bypass with default value for `cert_policy` (`none`)
Summary
PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if cert_policy is set to none (the default value), then pam_pkcs11 will only check if the user is capable of logging into the token. An attacker may create a different token with the user's public data (e.g. the user's certificate) and a PIN known to the attacker. If no signature with the private key is required, then the attacker may now login as user with that created token. The default to *not* check the private key's signature has been changed with commit commi6638576892b59a99389043c90a1e7dd4d783b921, so that all versions starting with pam_pkcs11-0.6.0 should be affected. As a workaround, in `pam_pkcs11.conf`, set at least `cert_policy = signature;`.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://github.com/OpenSC/pam_pkcs11/security/adv… | x_refsource_CONFIRM |
| https://github.com/OpenSC/pam_pkcs11/commit/47026… | x_refsource_MISC |
| https://github.com/OpenSC/pam_pkcs11/commit/b665b… | x_refsource_MISC |
| https://github.com/OpenSC/pam_pkcs11/commit/d9530… | x_refsource_MISC |
| https://github.com/OpenSC/pam_pkcs11/releases/tag… | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2025… | |
| https://www.vicarius.io/vsociety/posts/cve-2025-2… | |
| https://www.vicarius.io/vsociety/posts/cve-2025-2… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OpenSC | pam_pkcs11 |
Affected:
< 0.6.13
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24032",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T16:20:48.577434Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T15:45:25.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-05-21T15:48:59.150Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00021.html"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-24032-detect-vulnerability-in-linux-pam-module"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-24032-mitigate-linux-pam-module-vulnerability"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"product": "pam_pkcs11",
"vendor": "OpenSC",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if cert_policy is set to none (the default value), then pam_pkcs11 will only check if the user is capable of logging into the token. An attacker may create a different token with the user\u0027s public data (e.g. the user\u0027s certificate) and a PIN known to the attacker. If no signature with the private key is required, then the attacker may now login as user with that created token. The default to *not* check the private key\u0027s signature has been changed with commit commi6638576892b59a99389043c90a1e7dd4d783b921, so that all versions starting with pam_pkcs11-0.6.0 should be affected. As a workaround, in `pam_pkcs11.conf`, set at least `cert_policy = signature;`."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T15:43:47.166Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenSC/pam_pkcs11/security/advisories/GHSA-8r8p-7mgp-vf56",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenSC/pam_pkcs11/security/advisories/GHSA-8r8p-7mgp-vf56"
},
{
"name": "https://github.com/OpenSC/pam_pkcs11/commit/470263258d1ac59c5eade439c4d9caba0097e6e6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenSC/pam_pkcs11/commit/470263258d1ac59c5eade439c4d9caba0097e6e6"
},
{
"name": "https://github.com/OpenSC/pam_pkcs11/commit/b665b287ff955bbbd9539252ff9f9e2754c3fb48",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenSC/pam_pkcs11/commit/b665b287ff955bbbd9539252ff9f9e2754c3fb48"
},
{
"name": "https://github.com/OpenSC/pam_pkcs11/commit/d9530167966a77115db6e885d459382a2e52ee9e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenSC/pam_pkcs11/commit/d9530167966a77115db6e885d459382a2e52ee9e"
},
{
"name": "https://github.com/OpenSC/pam_pkcs11/releases/tag/pam_pkcs11-0.6.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenSC/pam_pkcs11/releases/tag/pam_pkcs11-0.6.13"
}
],
"source": {
"advisory": "GHSA-8r8p-7mgp-vf56",
"discovery": "UNKNOWN"
},
"title": "PAM-PKCS#11 vulnerable to authentication bypass with default value for `cert_policy` (`none`)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24032",
"datePublished": "2025-02-10T15:43:47.166Z",
"dateReserved": "2025-01-16T17:31:06.460Z",
"dateUpdated": "2025-05-21T15:48:59.150Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24894 (GCVE-0-2025-24894)
Vulnerability from cvelistv5 – Published: 2025-02-18 18:39 – Updated: 2025-02-18 19:46
VLAI
Title
SAML Response Signature Verification Bypass in SPID.AspNetCore.Authentication
Summary
SPID.AspNetCore.Authentication is an AspNetCore Remote Authenticator for SPID. Authentication using Spid and CIE is based on the SAML2 standard which provides two entities: Identity Provider (IDP): the system that authenticates users and provides identity information (SAML affirmation) to the Service Provider, in essence, is responsible for the management of the credentials and identity of users; Service Provider (SP): the system that provides a service to the user and relies on the Identity Provider to authenticate the user, receives SAML assertions from the IdP to grant access to resources. The validation logic of the signature is central as it ensures that you cannot create a SAML response with arbitrary assertions and then impersonate other users. There is no guarantee that the first signature refers to the root object, it follows that if an attacker injects an item signed as the first element, all other signatures will not be verified. The only requirement is to have an XML element legitimately signed by the IdP, a condition that is easily met using the IdP's public metadata. An attacker could create an arbitrary SAML response that would be accepted by SPs using vulnerable SDKs, allowing him to impersonate any Spid and/or CIE user. This vulnerability has been addressed in version 3.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
9.1 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/italia/spid-aspnetcore/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| italia | spid-aspnetcore |
Affected:
< 3.4.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24894",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T19:42:44.965339Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:46:06.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "spid-aspnetcore",
"vendor": "italia",
"versions": [
{
"status": "affected",
"version": "\u003c 3.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SPID.AspNetCore.Authentication is an AspNetCore Remote Authenticator for SPID. Authentication using Spid and CIE is based on the SAML2 standard which provides two entities: Identity Provider (IDP): the system that authenticates users and provides identity information (SAML affirmation) to the Service Provider, in essence, is responsible for the management of the credentials and identity of users; Service Provider (SP): the system that provides a service to the user and relies on the Identity Provider to authenticate the user, receives SAML assertions from the IdP to grant access to resources. The validation logic of the signature is central as it ensures that you cannot create a SAML response with arbitrary assertions and then impersonate other users. There is no guarantee that the first signature refers to the root object, it follows that if an attacker injects an item signed as the first element, all other signatures will not be verified. The only requirement is to have an XML element legitimately signed by the IdP, a condition that is easily met using the IdP\u0027s public metadata. An attacker could create an arbitrary SAML response that would be accepted by SPs using vulnerable SDKs, allowing him to impersonate any Spid and/or CIE user. This vulnerability has been addressed in version 3.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T18:39:37.089Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/italia/spid-aspnetcore/security/advisories/GHSA-36h8-r92j-w9vw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/italia/spid-aspnetcore/security/advisories/GHSA-36h8-r92j-w9vw"
}
],
"source": {
"advisory": "GHSA-36h8-r92j-w9vw",
"discovery": "UNKNOWN"
},
"title": "SAML Response Signature Verification Bypass in SPID.AspNetCore.Authentication"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24894",
"datePublished": "2025-02-18T18:39:37.089Z",
"dateReserved": "2025-01-27T15:32:29.451Z",
"dateUpdated": "2025-02-18T19:46:06.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24895 (GCVE-0-2025-24895)
Vulnerability from cvelistv5 – Published: 2025-02-18 18:39 – Updated: 2025-02-18 19:39
VLAI
Title
SAML Response Signature Verification Bypass in CIE.AspNetCore.Authentication
Summary
CIE.AspNetCore.Authentication is an AspNetCore Remote Authenticator for CIE 3.0. Authentication using Spid and CIE is based on the SAML2 standard which provides two entities: 1. Identity Provider (IDP): the system that authenticates users and provides identity information (SAML affirmation) to the Service Provider, in essence, is responsible for the management of the credentials and identity of users; 2. Service Provider (SP): the system that provides a service to the user and relies on the Identity Provider to authenticate the user, receives SAML assertions from the IdP to grant access to resources. The library cie-aspnetcore refers to the second entity, the SP, and implements the validation logic of SAML assertions within SAML responses. In affected versions there is no guarantee that the first signature refers to the root object, it follows that if an attacker injects an item signed as the first element, all other signatures will not be verified. The only requirement is to have an XML element legitimately signed by the IdP, a condition that is easily met using the IdP's public metadata. An attacker could create an arbitrary SAML response that would be accepted by SPs using vulnerable SDKs, allowing him to impersonate any Spid and/or CIE user. This issue has been addressed in version 2.1.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
9.1 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/italia/cie-aspnetcore/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| italia | cie-aspnetcore |
Affected:
< 2.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24895",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T19:39:11.324365Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:39:32.907Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cie-aspnetcore",
"vendor": "italia",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CIE.AspNetCore.Authentication is an AspNetCore Remote Authenticator for CIE 3.0. Authentication using Spid and CIE is based on the SAML2 standard which provides two entities: 1. Identity Provider (IDP): the system that authenticates users and provides identity information (SAML affirmation) to the Service Provider, in essence, is responsible for the management of the credentials and identity of users; 2. Service Provider (SP): the system that provides a service to the user and relies on the Identity Provider to authenticate the user, receives SAML assertions from the IdP to grant access to resources. The library cie-aspnetcore refers to the second entity, the SP, and implements the validation logic of SAML assertions within SAML responses. In affected versions there is no guarantee that the first signature refers to the root object, it follows that if an attacker injects an item signed as the first element, all other signatures will not be verified. The only requirement is to have an XML element legitimately signed by the IdP, a condition that is easily met using the IdP\u0027s public metadata. An attacker could create an arbitrary SAML response that would be accepted by SPs using vulnerable SDKs, allowing him to impersonate any Spid and/or CIE user. This issue has been addressed in version 2.1.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T18:39:39.096Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/italia/cie-aspnetcore/security/advisories/GHSA-vq63-8f72-f486",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/italia/cie-aspnetcore/security/advisories/GHSA-vq63-8f72-f486"
}
],
"source": {
"advisory": "GHSA-vq63-8f72-f486",
"discovery": "UNKNOWN"
},
"title": "SAML Response Signature Verification Bypass in CIE.AspNetCore.Authentication"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24895",
"datePublished": "2025-02-18T18:39:39.096Z",
"dateReserved": "2025-01-27T15:32:29.451Z",
"dateUpdated": "2025-02-18T19:39:32.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24904 (GCVE-0-2025-24904)
Vulnerability from cvelistv5 – Published: 2025-02-13 15:24 – Updated: 2025-02-13 16:25
VLAI
Title
libsignal-service-rs doesn't sanity check plaintext envelopes are not sanity-checked
Summary
libsignal-service-rs is a Rust version of the libsignal-service-java library which implements the core functionality to communicate with Signal servers. Prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, plaintext content envelopes could be injected by a server or a malicious client, and may have been able to bypass the end-to-end encryption and authentication. The vulnerability is fixed per 82d70f6720e762898f34ae76b0894b0297d9b2f8. The `Metadata` struct contains an additional `was_encrypted` field, which breaks the API, but should be easily resolvable. No known workarounds are available.
Severity
8.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/whisperfish/libsignal-service-… | x_refsource_CONFIRM |
| https://github.com/whisperfish/libsignal-service-… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| whisperfish | libsignal-service-rs |
Affected:
< 82d70f6720e762898f34ae76b0894b0297d9b2f8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24904",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-13T16:25:30.197253Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-13T16:25:36.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "libsignal-service-rs",
"vendor": "whisperfish",
"versions": [
{
"status": "affected",
"version": "\u003c 82d70f6720e762898f34ae76b0894b0297d9b2f8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libsignal-service-rs is a Rust version of the libsignal-service-java library which implements the core functionality to communicate with Signal servers. Prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, plaintext content envelopes could be injected by a server or a malicious client, and may have been able to bypass the end-to-end encryption and authentication. The vulnerability is fixed per 82d70f6720e762898f34ae76b0894b0297d9b2f8. The `Metadata` struct contains an additional `was_encrypted` field, which breaks the API, but should be easily resolvable. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-13T15:24:20.246Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/whisperfish/libsignal-service-rs/security/advisories/GHSA-hrrc-wpfw-5hj2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/whisperfish/libsignal-service-rs/security/advisories/GHSA-hrrc-wpfw-5hj2"
},
{
"name": "https://github.com/whisperfish/libsignal-service-rs/commit/82d70f6720e762898f34ae76b0894b0297d9b2f8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/whisperfish/libsignal-service-rs/commit/82d70f6720e762898f34ae76b0894b0297d9b2f8"
}
],
"source": {
"advisory": "GHSA-hrrc-wpfw-5hj2",
"discovery": "UNKNOWN"
},
"title": "libsignal-service-rs doesn\u0027t sanity check plaintext envelopes are not sanity-checked"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24904",
"datePublished": "2025-02-13T15:24:20.246Z",
"dateReserved": "2025-01-27T15:32:29.453Z",
"dateUpdated": "2025-02-13T16:25:36.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Strategy: Libraries or Frameworks
Description:
- Use an authentication framework or library such as the OWASP ESAPI Authentication feature.
CAPEC-114: Authentication Abuse
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.
CAPEC-115: Authentication Bypass
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
CAPEC-151: Identity Spoofing
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.
CAPEC-194: Fake the Source of Data
An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.
CAPEC-593: Session Hijacking
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
CAPEC-633: Token Impersonation
An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.
CAPEC-650: Upload a Web Shell to a Web Server
By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.