CVE-2025-41078
Authorization Bypass in Viafirma Documents v3.7.129 Enables Privilege Escalation
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| viafirma | documents | 3.7.129 |
| viafirma | inbox | to 4.5.27 (exc) |
| viafirma | inbox | 4.5.27 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Viafirma Documents v3.7.129 involves weaknesses in the authorization mechanisms that allow an authenticated user without privileges to list and access other users' data. Additionally, such a user can use features for creating, modifying, and deleting users, and escalate privileges by impersonating other users during document generation and signing.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to other users' data, unauthorized user management actions (creation, modification, deletion), and privilege escalation through user impersonation. This can result in data breaches, unauthorized document signing, and potential misuse of the application by attackers.