CVE-2025-40645
BaseFortify
Publication date: 2025-10-02
Last updated on: 2025-10-02
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Viday allows an unauthenticated attacker to obtain sensitive customer information by sending an HTTP GET request to the endpoint "/api/reserva/web/clients" with the "phone" parameter. This exposure of sensitive information occurs without requiring authentication.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive customer information, potentially resulting in privacy breaches, identity theft, or other malicious activities by attackers who exploit the exposed data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability could negatively impact compliance with data protection regulations such as GDPR and HIPAA, as it involves unauthorized exposure of sensitive customer information, which these standards require to be protected against unauthorized access and disclosure.