CVE-2025-41077
Unknown Unknown - Not Provided
IDOR in Viafirma Inbox 4.5.13 Enables Admin Account Takeover

Publication date: 2026-01-12

Last updated on: 2026-01-12

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the user's email addresses to be modified and, subsequently, using the password recovery functionality to access the application by impersonating any user, including those with administrative permissions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-12
Generated
2026-05-07
AI Q&A
2026-01-13
EPSS Evaluated
2026-05-05
NVD
CVE-2025-41077
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
viafirma inbox to 4.5.27 (exc)
viafirma inbox 4.5.27
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-41077 is an Insecure Direct Object Reference (IDOR) vulnerability in Viafirma Inbox version 4.5.13 and earlier. It allows any authenticated user, even without special privileges, to list all users and access or modify their data, including email addresses. By changing email addresses, an attacker can exploit the password recovery feature to impersonate any user, including administrators, gaining unauthorized access. [1]


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized access to the application by allowing attackers to impersonate any user, including those with administrative privileges. This can result in data breaches, unauthorized data modification, and potential full control over the affected system. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection involves verifying if the Viafirma Inbox version is 4.5.13 or prior, as these versions are vulnerable. Since the vulnerability allows any authenticated user to list all users and modify their data, testing can be done by attempting to enumerate users and modify email addresses via the application interface or API with an authenticated user account. Specific commands are not provided in the resources. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Viafirma Inbox to version 4.5.27 or later, where this vulnerability has been fixed. Additionally, restrict access to authenticated users and monitor for suspicious activity involving user enumeration or email modification. [1]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart