CVE-2025-11580
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-10

Last updated on: 2026-02-24

Assigner: VulDB

Description
A weakness has been identified in PowerJob up to 5.1.2. This affects the function list of the file /user/list. This manipulation causes missing authorization. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-10
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2025-10-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11580
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
powerjob powerjob to 5.1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11580 is an authorization vulnerability in PowerJob versions up to 5.1.2 affecting the /user/list endpoint. Due to missing authorization checks, unauthenticated users can remotely access this endpoint and retrieve the entire user list. This happens because the method handling this endpoint lacks proper access control annotations and checks, allowing unauthorized access to sensitive user information. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by exposing sensitive user information without requiring authentication. Unauthorized actors can remotely retrieve the full list of users, compromising confidentiality. This could lead to further attacks or misuse of the exposed user data. [1, 2]

Detection Guidance

This vulnerability can be detected by sending an unauthenticated HTTP GET request to the /user/list endpoint of the PowerJob server and checking if the user list is returned without authentication. For example, you can use the following command to test this: curl -X GET http://<target-ip-or-domain>/user/list If the response contains user information without requiring authentication headers, the system is vulnerable. [1]

Mitigation Strategies

Immediate mitigation involves enforcing proper authorization on the /user/list endpoint. Specifically, adding authorization checks such as the @ApiPermission annotation to restrict access to authenticated and authorized users only. If patching is not immediately possible, consider restricting external access to the affected endpoint via network controls or firewall rules until an update is applied. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11580. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart