CVE-2025-61075
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-12
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| adata | mitarbeiter_portal | to 2.16.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to confidential employee data and manipulation of workflows by low-privileged authenticated users, which could lead to violations of data protection regulations such as GDPR and HIPAA due to improper access control and potential exposure of sensitive personal information. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and intercepting API requests to the affected endpoints and checking for unauthorized access or manipulation attempts. For example, intercept and modify parameters such as user IDs (Pnr) in requests to endpoints like /Zeiterfassung/MeineZeiten/CreateFromGrid to see if unauthorized actions are accepted. Additionally, test access to administrative log files via /Administration/Log/Show/log<date> endpoints with low-privileged accounts. Commands using tools like curl or Burp Suite can be used to send crafted requests to these endpoints, modifying parameters to check if unauthorized access is possible. Example curl command to test unauthorized email retrieval: curl -u user:password "https://<target>/Administration/EmailDropDown/GetUserMails?userId=<otherUserId>". Monitoring logs for unexpected API calls or parameter tampering can also help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the adata Mitarbeiterportal software to version 2.16.1 or later, as this version addresses the vulnerabilities. Until the update can be applied, restrict access to the affected API endpoints to trusted users only, monitor API usage for suspicious activity, and enforce strict authentication and authorization controls. Additionally, review and limit permissions of low-privileged users to minimize potential abuse of the access control flaws. [2]
Can you explain this vulnerability to me?
This vulnerability involves multiple incorrect access control issues in adata Software GmbH Mitarbeiterportal version 2.15.2.0. It allows remote authenticated users with low privileges to perform administrative functions and manipulate data of other users by making unauthorized API calls.
How can this vulnerability impact me? :
The vulnerability can allow low-privileged users to escalate their privileges and perform administrative actions, potentially leading to unauthorized data manipulation and compromise of user data integrity and confidentiality.