CVE-2025-4762 (GCVE-0-2025-4762)

Vulnerability from cvelistv5 – Published: 2025-05-15 11:49 – Updated: 2025-05-15 13:28
VLAI?
Summary
Insecure Direct Object Reference (IDOR) vulnerability in the eSignaViewer component in eSigna product versions 1.0 to 1.5 on all platforms allow an unauthenticated attacker to access arbitrary files in the document system via manipulation of file paths and object identifiers.
Severity ?
2 (Low)
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
CWE
  • CWE-20 - Improper Input Validation
Assigner
References
Impacted products
Vendor Product Version
Lleidanet PKI eSigna Unaffected: 1.3.2
Unaffected: 1.4.4
Unaffected: 4.0.4
Unaffected: 4.1.4
Unaffected: 5.0.2
Unaffected: 5.1.2
Unaffected: 5.2.4
Unaffected: 5.3.3
Unaffected: 5.4.1
Create a notification for this product.
Credits
Pablo Alcarria Lozano
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4762",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-15T13:26:47.028851Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-15T13:28:18.267Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "packageName": "eSignaViewer",
          "product": "eSigna",
          "vendor": "Lleidanet PKI",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.3.2"
            },
            {
              "status": "unaffected",
              "version": "1.4.4"
            },
            {
              "status": "unaffected",
              "version": "4.0.4"
            },
            {
              "status": "unaffected",
              "version": "4.1.4"
            },
            {
              "status": "unaffected",
              "version": "5.0.2"
            },
            {
              "status": "unaffected",
              "version": "5.1.2"
            },
            {
              "status": "unaffected",
              "version": "5.2.4"
            },
            {
              "status": "unaffected",
              "version": "5.3.3"
            },
            {
              "status": "unaffected",
              "version": "5.4.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Pablo Alcarria Lozano"
        }
      ],
      "datePublic": "2024-12-03T12:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Insecure Direct Object Reference (IDOR) vulnerability in the eSignaViewer component in eSigna product versions 1.0 to 1.5 on all platforms allow an unauthenticated attacker to access arbitrary files in the document system via manipulation of file paths and object identifiers."
            }
          ],
          "value": "Insecure Direct Object Reference (IDOR) vulnerability in the eSignaViewer component in eSigna product versions 1.0 to 1.5 on all platforms allow an unauthenticated attacker to access arbitrary files in the document system via manipulation of file paths and object identifiers."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-122",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-122: Insecure Direct Object Reference"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 2,
            "baseSeverity": "LOW",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-15T11:50:05.461Z",
        "orgId": "8ca67973-55d1-4246-bb7c-ce7e65ad8782",
        "shortName": "Edgewatch"
      },
      "references": [
        {
          "url": "https://edgewatch.com/vulnerability-advisories/path-traversal-and-idor-vulnerabilities-in-esignaviewer-allow-unauthorized-file-access/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Users should immediately upgrade to the corresponding fixed version to eliminate these vulnerabilities and protect sensitive data from unauthorized access."
            }
          ],
          "value": "Users should immediately upgrade to the corresponding fixed version to eliminate these vulnerabilities and protect sensitive data from unauthorized access."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Insecure Direct Object Reference (IDOR) vulnerability in eSignaViewer",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8ca67973-55d1-4246-bb7c-ce7e65ad8782",
    "assignerShortName": "Edgewatch",
    "cveId": "CVE-2025-4762",
    "datePublished": "2025-05-15T11:49:59.054Z",
    "dateReserved": "2025-05-15T11:45:21.855Z",
    "dateUpdated": "2025-05-15T13:28:18.267Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-4762\",\"sourceIdentifier\":\"8ca67973-55d1-4246-bb7c-ce7e65ad8782\",\"published\":\"2025-05-15T12:15:23.560\",\"lastModified\":\"2025-05-16T14:43:26.160\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Insecure Direct Object Reference (IDOR) vulnerability in the eSignaViewer component in eSigna product versions 1.0 to 1.5 on all platforms allow an unauthenticated attacker to access arbitrary files in the document system via manipulation of file paths and object identifiers.\"},{\"lang\":\"es\",\"value\":\"La vulnerabilidad de referencia directa a objetos insegura (IDOR) en el componente eSignaViewer en las versiones 1.0 a 1.5 del producto eSigna en todas las plataformas permite que un atacante no autenticado acceda a archivos arbitrarios en el sistema de documentos mediante la manipulaci\u00f3n de rutas de archivos e identificadores de objetos.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"8ca67973-55d1-4246-bb7c-ce7e65ad8782\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.0,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"8ca67973-55d1-4246-bb7c-ce7e65ad8782\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"references\":[{\"url\":\"https://edgewatch.com/vulnerability-advisories/path-traversal-and-idor-vulnerabilities-in-esignaviewer-allow-unauthorized-file-access/\",\"source\":\"8ca67973-55d1-4246-bb7c-ce7e65ad8782\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-4762\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-15T13:26:47.028851Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-15T13:27:16.048Z\"}}], \"cna\": {\"title\": \"Insecure Direct Object Reference (IDOR) vulnerability in eSignaViewer\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Pablo Alcarria Lozano\"}], \"impacts\": [{\"capecId\": \"CAPEC-122\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-122: Insecure Direct Object Reference\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 2, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Lleidanet PKI\", \"product\": \"eSigna\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.3.2\"}, {\"status\": \"unaffected\", \"version\": \"1.4.4\"}, {\"status\": \"unaffected\", \"version\": \"4.0.4\"}, {\"status\": \"unaffected\", \"version\": \"4.1.4\"}, {\"status\": \"unaffected\", \"version\": \"5.0.2\"}, {\"status\": \"unaffected\", \"version\": \"5.1.2\"}, {\"status\": \"unaffected\", \"version\": \"5.2.4\"}, {\"status\": \"unaffected\", \"version\": \"5.3.3\"}, {\"status\": \"unaffected\", \"version\": \"5.4.1\"}], \"packageName\": \"eSignaViewer\", \"defaultStatus\": \"affected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Users should immediately upgrade to the corresponding fixed version to eliminate these vulnerabilities and protect sensitive data from unauthorized access.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Users should immediately upgrade to the corresponding fixed version to eliminate these vulnerabilities and protect sensitive data from unauthorized access.\", \"base64\": false}]}], \"datePublic\": \"2024-12-03T12:00:00.000Z\", \"references\": [{\"url\": \"https://edgewatch.com/vulnerability-advisories/path-traversal-and-idor-vulnerabilities-in-esignaviewer-allow-unauthorized-file-access/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Insecure Direct Object Reference (IDOR) vulnerability in the eSignaViewer component in eSigna product versions 1.0 to 1.5 on all platforms allow an unauthenticated attacker to access arbitrary files in the document system via manipulation of file paths and object identifiers.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Insecure Direct Object Reference (IDOR) vulnerability in the eSignaViewer component in eSigna product versions 1.0 to 1.5 on all platforms allow an unauthenticated attacker to access arbitrary files in the document system via manipulation of file paths and object identifiers.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"8ca67973-55d1-4246-bb7c-ce7e65ad8782\", \"shortName\": \"Edgewatch\", \"dateUpdated\": \"2025-05-15T11:50:05.461Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-4762\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-15T13:28:18.267Z\", \"dateReserved\": \"2025-05-15T11:45:21.855Z\", \"assignerOrgId\": \"8ca67973-55d1-4246-bb7c-ce7e65ad8782\", \"datePublished\": \"2025-05-15T11:49:59.054Z\", \"assignerShortName\": \"Edgewatch\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.