CVE-2025-10390
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-14

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in CRMEB up to 5.6.1. The affected element is the function editAddress of the file app/services/user/UserAddressServices.php. Executing manipulation of the argument ID can lead to improper authorization. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-14
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-09-14
EPSS Evaluated
2026-05-05
NVD
CVE-2025-10390
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
crmeb crmeb to 5.6.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-10390 is an improper authorization vulnerability in CRMEB up to version 5.6.1, specifically in the editAddress function of the UserAddressServices.php file. The vulnerability allows an attacker to manipulate the address ID parameter to modify or delete user addresses that do not belong to them, bypassing authorization checks. This means unauthorized users can change or remove other users' address information remotely. [1, 2]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing unauthorized attackers to modify or delete user address data within your CRMEB system. This compromises the integrity and availability of user information, potentially leading to data loss, unauthorized data changes, and disruption of services relying on accurate user address data. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by searching for requests targeting the vulnerable function, specifically URLs containing "app/services/user/UserAddressServices.php". Network monitoring or web server logs can be inspected for such requests. Additionally, Google Dorking can be used to locate exposed instances by searching for URLs with "app/services/user/UserAddressServices.php". To detect exploitation attempts, you can monitor HTTP requests that manipulate the 'id' parameter in calls to the editAddress function. Example command to search web server logs for suspicious requests: grep 'app/services/user/UserAddressServices.php' /var/log/apache2/access.log | grep 'id=' [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the vulnerable endpoint by implementing proper authorization checks to verify ownership of the address ID before allowing modifications. Since no vendor-provided patches or mitigations are available, it is recommended to replace the affected component with an alternative product or disable the vulnerable functionality if possible. Additionally, monitor and block suspicious requests targeting the editAddress function to reduce exploitation risk. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart