CVE-2025-10014
BaseFortify
Publication date: 2025-09-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eladmin | eladmin | to 2.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10014 is a Broken Function Level Authorization vulnerability in the elunez eladmin application (up to version 2.7). It affects the updateUserEmail function in the UserController, which handles email updates via the /api/users/updateEmail/ API endpoint. The vulnerability allows an attacker to manipulate the id or username fields in the request to update another user's email address without proper authorization. Although the function retrieves the current authenticated user, it fails to verify that the user being updated matches the authenticated user, leading to improper authorization checks. Exploiting this flaw requires knowing the RSA-encrypted password of the targeted user account and is considered difficult. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to change the email address of other users without authorization, potentially leading to account takeover by redirecting communications or resetting passwords via the new email. Additionally, unauthorized access to error logs may expose sensitive information, facilitating further attacks. Overall, it compromises the integrity of user accounts and can lead to unauthorized access and control over affected accounts. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring API requests to the endpoint /api/users/updateEmail/ for unauthorized attempts to manipulate the id or username fields in the request body. Network or application logs should be inspected for suspicious POST requests to this endpoint where the authenticated user does not match the user id/email being updated. Specific commands depend on the environment, but for example, using curl to test unauthorized email updates or using log search commands like 'grep' on server logs to find suspicious requests to /api/users/updateEmail/ can help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /api/users/updateEmail/ endpoint to only authorized users and implementing strict authorization checks to ensure that the authenticated user matches the user whose email is being updated. Since no known countermeasures or patches are currently available, it is recommended to replace or upgrade the affected eladmin product to a version without this vulnerability or apply custom authorization fixes. Additionally, monitoring and alerting on suspicious activity targeting this endpoint is advised. [3]