CVE-2025-14567
BaseFortify
Publication date: 2025-12-12
Last updated on: 2025-12-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| haxxorsid | stock-management-system | to 2018-01-27 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized remote access to sensitive employee data due to missing authentication in the /api/employees endpoint, which compromises confidentiality. Such unauthorized access to personal or sensitive information can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal data. Since the vulnerability is unpatched and the product is no longer supported, organizations using this system may face increased risk of data breaches and regulatory violations. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing access to the /api/employees endpoint without authentication. You can use tools like curl or wget to send requests and check if unauthorized access is possible. For example, running a command like `curl -v http://<target>/api/employees` and observing if sensitive employee data is returned without authentication indicates the vulnerability. Additionally, monitoring network traffic for unauthorized API calls to /api/employees could help detect exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Since no patches or vendor mitigations are available and the product is no longer supported, immediate steps include restricting access to the /api/employees endpoint by network controls such as firewalls or VPNs, disabling or removing the vulnerable API if possible, and replacing the affected system with an alternative product that is actively maintained and secure. [1, 3]
Can you explain this vulnerability to me?
This vulnerability is a weakness in the haxxorsid Stock-Management-System affecting the /api/employees endpoint. It allows an attacker to manipulate the system in a way that bypasses authentication, potentially enabling unauthorized access. The attack can be launched remotely, and the exploit is publicly available. The affected versions are no longer supported by the maintainer.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to the system by bypassing authentication controls. This could allow attackers to access sensitive employee data or perform actions without proper authorization, potentially compromising confidentiality.