CVE-2025-41345
BaseFortify
Publication date: 2025-11-04
Last updated on: 2025-11-05
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canaldenuncia | canaldenuncia.app | to 4.4.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a lack of authorization in the CanalDenuncia.app application. It allows an attacker to access other users' information by sending a specially crafted POST request with the parameters 'id_denuncia' and 'id_user' to the endpoint '/backend/api/buscarDenunciasById.php'. Essentially, the application does not properly verify if the requesting user is authorized to view the data they are requesting, leading to unauthorized data access.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive user information. An attacker exploiting this flaw can access private data of other users without permission, potentially leading to privacy breaches, identity theft, or misuse of personal information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively impact compliance with data protection regulations such as GDPR and HIPAA because it allows unauthorized access to personal or sensitive information. Such unauthorized disclosures violate principles of data confidentiality and access control required by these standards, potentially resulting in legal and regulatory consequences.