CVE-2025-10014
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in elunez eladmin up to 2.7. This impacts the function updateUserEmail of the file /api/users/updateEmail/ of the component Email Address Handler. Executing manipulation of the argument id/email can lead to improper authorization. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is said to be difficult. The exploit has been published and may be used. It is required to know the RSA-encrypted password of the attacked user account.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10014
EUVD
EUVD-2025-27024
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
eladmin eladmin to 2.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10014 is a Broken Function Level Authorization vulnerability in the elunez eladmin application (up to version 2.7). It affects the updateUserEmail function in the UserController, which handles email updates via the /api/users/updateEmail/ API endpoint. The vulnerability allows an attacker to manipulate the id or username fields in the request to update another user's email address without proper authorization. Although the function retrieves the current authenticated user, it fails to verify that the user being updated matches the authenticated user, leading to improper authorization checks. Exploiting this flaw requires knowing the RSA-encrypted password of the targeted user account and is considered difficult. [1, 2, 3]

Impact Analysis

This vulnerability can allow an attacker to change the email address of other users without authorization, potentially leading to account takeover by redirecting communications or resetting passwords via the new email. Additionally, unauthorized access to error logs may expose sensitive information, facilitating further attacks. Overall, it compromises the integrity of user accounts and can lead to unauthorized access and control over affected accounts. [2, 3]

Detection Guidance

Detection of this vulnerability involves monitoring API requests to the endpoint /api/users/updateEmail/ for unauthorized attempts to manipulate the id or username fields in the request body. Network or application logs should be inspected for suspicious POST requests to this endpoint where the authenticated user does not match the user id/email being updated. Specific commands depend on the environment, but for example, using curl to test unauthorized email updates or using log search commands like 'grep' on server logs to find suspicious requests to /api/users/updateEmail/ can help detect exploitation attempts. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the /api/users/updateEmail/ endpoint to only authorized users and implementing strict authorization checks to ensure that the authenticated user matches the user whose email is being updated. Since no known countermeasures or patches are currently available, it is recommended to replace or upgrade the affected eladmin product to a version without this vulnerability or apply custom authorization fixes. Additionally, monitoring and alerting on suspicious activity targeting this endpoint is advised. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10014. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart