CVE-2025-12288
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in Bdtask Pharmacy Management System up to 9.4. Affected is an unknown function of the file /user/edit_user/ of the component User Profile Handler. Performing manipulation results in authorization bypass. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12288
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bdtask pharmacare to 9.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-12288 is an authorization bypass vulnerability in Bdtask Pharmacy Management System up to version 9.4, specifically in the User Profile Handler component at the /user/edit_user/ endpoint. The system uses predictable user IDs in the URL but lacks proper authorization checks to verify if the authenticated user has permission to access or edit the requested user profile. This allows an attacker to manipulate the user ID parameter to access or modify other users' profiles without authorization, resulting in a breach of confidentiality. The vulnerability is classified as an Insecure Direct Object Reference (IDOR) and can be exploited remotely without local access. [1, 2]

Impact Analysis

This vulnerability can lead to unauthorized access to other users' profile data within the Bdtask Pharmacy Management System. An attacker who is authenticated can manipulate the user ID parameter to view or modify other users' profiles, potentially exposing sensitive personal or medical information. This breach of confidentiality can undermine trust, lead to data leaks, and cause harm to affected individuals. Since the exploit is publicly available and the vendor has not provided mitigation, the risk of exploitation is significant. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring requests to the /user/edit_user/ endpoint of the Bdtask Pharmacy Management System and checking for unauthorized access attempts where the user ID parameter is manipulated. Since the vulnerability involves altering the user ID in the URL to access or edit other users' profiles, you can detect it by inspecting HTTP requests for unusual or sequential user ID changes. For example, using network monitoring tools or web server logs, look for requests with different user ID parameters from the same authenticated user. Specific commands depend on your environment, but a simple approach is to use tools like curl or wget to test access: curl -i -X GET 'http://<target>/user/edit_user/?id=2' and then change the id parameter to other values to see if unauthorized access is possible. Additionally, web application firewalls (WAF) or intrusion detection systems (IDS) can be configured to alert on such parameter tampering. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the /user/edit_user/ endpoint to only authorized users and implementing proper server-side authorization checks to verify that the authenticated user has permission to view or edit the requested user profile. Since no official patch or vendor response is available, consider applying access control rules at the web server or network level to limit exposure. Monitoring and logging access to this endpoint for suspicious activity is also recommended. Ultimately, replacing or upgrading the affected product to a version without this vulnerability is advised. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12288. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart