CVE-2025-59945
BaseFortify
Publication date: 2025-09-27
Last updated on: 2025-12-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| syslifters | sysreptor | From 2024.74 (inc) to 2025.83 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in SysReptor versions from 2024.74 to before 2025.83 allows authenticated users without admin privileges to assign themselves the is_project_admin permission. This unauthorized permission escalation enables them to read, modify, and delete pentesting projects they are not members of and should not have access to.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access and modification of sensitive pentesting project data. Users without proper permissions can read confidential information, alter project details, or delete projects, potentially compromising the integrity and confidentiality of pentesting reports and related data.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade SysReptor to version 2025.83 or later, where the issue has been patched.