Search criteria
2 vulnerabilities found for Portal Meu RH by TOTVS
CVE-2025-9193 (GCVE-0-2025-9193)
Vulnerability from cvelistv5 – Published: 2025-08-20 00:02 – Updated: 2025-08-22 12:11 Unsupported When Assigned
VLAI?
Title
TOTVS Portal Meu RH Password Reset redirect
Summary
A flaw has been found in TOTVS Portal Meu RH up to 12.1.17. Impacted is an unknown function of the component Password Reset Handler. Executing manipulation of the argument redirectUrl can lead to open redirect. The attack may be performed from a remote location. The exploit has been published and may be used. Upgrading to version 12.1.2410.274, 12.1.2502.178 and 12.1.2506.121 is recommended to address this issue. It is recommended to upgrade the affected component. The vendor explains, that "[o]ur internal validation (...) confirms that the reported behavior does not exist in currently supported releases. In these tests, the redirectUrl parameter is ignored, and no malicious redirection occurs." This vulnerability only affects products that are no longer supported by the maintainer.
Severity ?
CWE
- CWE-601 - Open Redirect
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TOTVS | Portal Meu RH |
Affected:
12.1.0
Affected: 12.1.1 Affected: 12.1.2 Affected: 12.1.3 Affected: 12.1.4 Affected: 12.1.5 Affected: 12.1.6 Affected: 12.1.7 Affected: 12.1.8 Affected: 12.1.9 Affected: 12.1.10 Affected: 12.1.11 Affected: 12.1.12 Affected: 12.1.13 Affected: 12.1.14 Affected: 12.1.15 Affected: 12.1.16 Affected: 12.1.17 Unaffected: 12.1.2410.274 Unaffected: 12.1.2502.178 Unaffected: 12.1.2506.121 |
Credits
Eduardo Schwarz
Trenshyiavv (VulDB User)
Trenshyiavv (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9193",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T13:58:03.009154Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T15:15:52.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Password Reset Handler"
],
"product": "Portal Meu RH",
"vendor": "TOTVS",
"versions": [
{
"status": "affected",
"version": "12.1.0"
},
{
"status": "affected",
"version": "12.1.1"
},
{
"status": "affected",
"version": "12.1.2"
},
{
"status": "affected",
"version": "12.1.3"
},
{
"status": "affected",
"version": "12.1.4"
},
{
"status": "affected",
"version": "12.1.5"
},
{
"status": "affected",
"version": "12.1.6"
},
{
"status": "affected",
"version": "12.1.7"
},
{
"status": "affected",
"version": "12.1.8"
},
{
"status": "affected",
"version": "12.1.9"
},
{
"status": "affected",
"version": "12.1.10"
},
{
"status": "affected",
"version": "12.1.11"
},
{
"status": "affected",
"version": "12.1.12"
},
{
"status": "affected",
"version": "12.1.13"
},
{
"status": "affected",
"version": "12.1.14"
},
{
"status": "affected",
"version": "12.1.15"
},
{
"status": "affected",
"version": "12.1.16"
},
{
"status": "affected",
"version": "12.1.17"
},
{
"status": "unaffected",
"version": "12.1.2410.274"
},
{
"status": "unaffected",
"version": "12.1.2502.178"
},
{
"status": "unaffected",
"version": "12.1.2506.121"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eduardo Schwarz"
},
{
"lang": "en",
"type": "reporter",
"value": "Trenshyiavv (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "Trenshyiavv (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in TOTVS Portal Meu RH up to 12.1.17. Impacted is an unknown function of the component Password Reset Handler. Executing manipulation of the argument redirectUrl can lead to open redirect. The attack may be performed from a remote location. The exploit has been published and may be used. Upgrading to version 12.1.2410.274, 12.1.2502.178 and 12.1.2506.121 is recommended to address this issue. It is recommended to upgrade the affected component. The vendor explains, that \"[o]ur internal validation (...) confirms that the reported behavior does not exist in currently supported releases. In these tests, the redirectUrl parameter is ignored, and no malicious redirection occurs.\" This vulnerability only affects products that are no longer supported by the maintainer."
},
{
"lang": "de",
"value": "In TOTVS Portal Meu RH bis 12.1.17 ist eine Schwachstelle entdeckt worden. Betroffen davon ist eine unbekannte Funktion der Komponente Password Reset Handler. Durch das Manipulieren des Arguments redirectUrl mit unbekannten Daten kann eine open redirect-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden. Mit einem Upgrade auf Version 12.1.2410.274, 12.1.2502.178 and 12.1.2506.121 l\u00e4sst sich dieses Problem beheben. Die Aktualisierung der betroffenen Komponente wird empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "Open Redirect",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T12:11:21.504Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-320579 | TOTVS Portal Meu RH Password Reset redirect",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.320579"
},
{
"name": "VDB-320579 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.320579"
},
{
"name": "Submit #636360 | TOTVS Portal Meu RH 12.1.17 Open Redirect combined with phishing in password reset",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.636360"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://drive.google.com/file/d/1iorjSJ8gh3hTDZUy1fHyV-TJXFP43yIo/view?usp=sharing"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2025-08-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-19T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-22T14:12:59.000Z",
"value": "VulDB entry last update"
}
],
"title": "TOTVS Portal Meu RH Password Reset redirect"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9193",
"datePublished": "2025-08-20T00:02:07.078Z",
"dateReserved": "2025-08-19T17:13:21.967Z",
"dateUpdated": "2025-08-22T12:11:21.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9193 (GCVE-0-2025-9193)
Vulnerability from nvd – Published: 2025-08-20 00:02 – Updated: 2025-08-22 12:11 Unsupported When Assigned
VLAI?
Title
TOTVS Portal Meu RH Password Reset redirect
Summary
A flaw has been found in TOTVS Portal Meu RH up to 12.1.17. Impacted is an unknown function of the component Password Reset Handler. Executing manipulation of the argument redirectUrl can lead to open redirect. The attack may be performed from a remote location. The exploit has been published and may be used. Upgrading to version 12.1.2410.274, 12.1.2502.178 and 12.1.2506.121 is recommended to address this issue. It is recommended to upgrade the affected component. The vendor explains, that "[o]ur internal validation (...) confirms that the reported behavior does not exist in currently supported releases. In these tests, the redirectUrl parameter is ignored, and no malicious redirection occurs." This vulnerability only affects products that are no longer supported by the maintainer.
Severity ?
CWE
- CWE-601 - Open Redirect
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TOTVS | Portal Meu RH |
Affected:
12.1.0
Affected: 12.1.1 Affected: 12.1.2 Affected: 12.1.3 Affected: 12.1.4 Affected: 12.1.5 Affected: 12.1.6 Affected: 12.1.7 Affected: 12.1.8 Affected: 12.1.9 Affected: 12.1.10 Affected: 12.1.11 Affected: 12.1.12 Affected: 12.1.13 Affected: 12.1.14 Affected: 12.1.15 Affected: 12.1.16 Affected: 12.1.17 Unaffected: 12.1.2410.274 Unaffected: 12.1.2502.178 Unaffected: 12.1.2506.121 |
Credits
Eduardo Schwarz
Trenshyiavv (VulDB User)
Trenshyiavv (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9193",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T13:58:03.009154Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T15:15:52.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Password Reset Handler"
],
"product": "Portal Meu RH",
"vendor": "TOTVS",
"versions": [
{
"status": "affected",
"version": "12.1.0"
},
{
"status": "affected",
"version": "12.1.1"
},
{
"status": "affected",
"version": "12.1.2"
},
{
"status": "affected",
"version": "12.1.3"
},
{
"status": "affected",
"version": "12.1.4"
},
{
"status": "affected",
"version": "12.1.5"
},
{
"status": "affected",
"version": "12.1.6"
},
{
"status": "affected",
"version": "12.1.7"
},
{
"status": "affected",
"version": "12.1.8"
},
{
"status": "affected",
"version": "12.1.9"
},
{
"status": "affected",
"version": "12.1.10"
},
{
"status": "affected",
"version": "12.1.11"
},
{
"status": "affected",
"version": "12.1.12"
},
{
"status": "affected",
"version": "12.1.13"
},
{
"status": "affected",
"version": "12.1.14"
},
{
"status": "affected",
"version": "12.1.15"
},
{
"status": "affected",
"version": "12.1.16"
},
{
"status": "affected",
"version": "12.1.17"
},
{
"status": "unaffected",
"version": "12.1.2410.274"
},
{
"status": "unaffected",
"version": "12.1.2502.178"
},
{
"status": "unaffected",
"version": "12.1.2506.121"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eduardo Schwarz"
},
{
"lang": "en",
"type": "reporter",
"value": "Trenshyiavv (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "Trenshyiavv (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in TOTVS Portal Meu RH up to 12.1.17. Impacted is an unknown function of the component Password Reset Handler. Executing manipulation of the argument redirectUrl can lead to open redirect. The attack may be performed from a remote location. The exploit has been published and may be used. Upgrading to version 12.1.2410.274, 12.1.2502.178 and 12.1.2506.121 is recommended to address this issue. It is recommended to upgrade the affected component. The vendor explains, that \"[o]ur internal validation (...) confirms that the reported behavior does not exist in currently supported releases. In these tests, the redirectUrl parameter is ignored, and no malicious redirection occurs.\" This vulnerability only affects products that are no longer supported by the maintainer."
},
{
"lang": "de",
"value": "In TOTVS Portal Meu RH bis 12.1.17 ist eine Schwachstelle entdeckt worden. Betroffen davon ist eine unbekannte Funktion der Komponente Password Reset Handler. Durch das Manipulieren des Arguments redirectUrl mit unbekannten Daten kann eine open redirect-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden. Mit einem Upgrade auf Version 12.1.2410.274, 12.1.2502.178 and 12.1.2506.121 l\u00e4sst sich dieses Problem beheben. Die Aktualisierung der betroffenen Komponente wird empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "Open Redirect",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T12:11:21.504Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-320579 | TOTVS Portal Meu RH Password Reset redirect",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.320579"
},
{
"name": "VDB-320579 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.320579"
},
{
"name": "Submit #636360 | TOTVS Portal Meu RH 12.1.17 Open Redirect combined with phishing in password reset",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.636360"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://drive.google.com/file/d/1iorjSJ8gh3hTDZUy1fHyV-TJXFP43yIo/view?usp=sharing"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2025-08-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-19T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-22T14:12:59.000Z",
"value": "VulDB entry last update"
}
],
"title": "TOTVS Portal Meu RH Password Reset redirect"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9193",
"datePublished": "2025-08-20T00:02:07.078Z",
"dateReserved": "2025-08-19T17:13:21.967Z",
"dateUpdated": "2025-08-22T12:11:21.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}