Search criteria
2 vulnerabilities found for CronosWeb by CronosWeb i2A
CVE-2025-41358 (GCVE-0-2025-41358)
Vulnerability from nvd – Published: 2025-12-10 11:16 – Updated: 2025-12-10 16:40
VLAI?
Title
Direct reference to insecure objects (IDOR) in CronosWeb from CronosWeb i2A
Summary
Direct Object Reference Vulnerability (IDOR) in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in '/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas'.
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CronosWeb i2A | CronosWeb |
Affected:
25.00 and 24.05.
|
Credits
Félix Sánchez Medina
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-10T16:40:23.797946Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T16:40:32.182Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CronosWeb",
"vendor": "CronosWeb i2A",
"versions": [
{
"status": "affected",
"version": "25.00 and 24.05."
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F\u00e9lix S\u00e1nchez Medina"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Direct Object Reference Vulnerability (IDOR) in i2A\u0027s CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users\u0027 documents by manipulating the \u2018documentCode\u2019 parameter in \u0027/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas\u0027."
}
],
"value": "Direct Object Reference Vulnerability (IDOR) in i2A\u0027s CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users\u0027 documents by manipulating the \u2018documentCode\u2019 parameter in \u0027/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas\u0027."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T11:16:28.620Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/direct-reference-insecure-objects-idor-cronosweb-cronosweb-i2a"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability has been fixed in CronosWeb version 25.01 (available since December 1, 2025).\u003cbr\u003e"
}
],
"value": "The vulnerability has been fixed in CronosWeb version 25.01 (available since December 1, 2025)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Direct reference to insecure objects (IDOR) in CronosWeb from CronosWeb i2A",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-41358",
"datePublished": "2025-12-10T11:16:28.620Z",
"dateReserved": "2025-04-16T09:57:04.870Z",
"dateUpdated": "2025-12-10T16:40:32.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41358 (GCVE-0-2025-41358)
Vulnerability from cvelistv5 – Published: 2025-12-10 11:16 – Updated: 2025-12-10 16:40
VLAI?
Title
Direct reference to insecure objects (IDOR) in CronosWeb from CronosWeb i2A
Summary
Direct Object Reference Vulnerability (IDOR) in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in '/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas'.
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CronosWeb i2A | CronosWeb |
Affected:
25.00 and 24.05.
|
Credits
Félix Sánchez Medina
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-10T16:40:23.797946Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T16:40:32.182Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CronosWeb",
"vendor": "CronosWeb i2A",
"versions": [
{
"status": "affected",
"version": "25.00 and 24.05."
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F\u00e9lix S\u00e1nchez Medina"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Direct Object Reference Vulnerability (IDOR) in i2A\u0027s CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users\u0027 documents by manipulating the \u2018documentCode\u2019 parameter in \u0027/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas\u0027."
}
],
"value": "Direct Object Reference Vulnerability (IDOR) in i2A\u0027s CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users\u0027 documents by manipulating the \u2018documentCode\u2019 parameter in \u0027/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas\u0027."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T11:16:28.620Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/direct-reference-insecure-objects-idor-cronosweb-cronosweb-i2a"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability has been fixed in CronosWeb version 25.01 (available since December 1, 2025).\u003cbr\u003e"
}
],
"value": "The vulnerability has been fixed in CronosWeb version 25.01 (available since December 1, 2025)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Direct reference to insecure objects (IDOR) in CronosWeb from CronosWeb i2A",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-41358",
"datePublished": "2025-12-10T11:16:28.620Z",
"dateReserved": "2025-04-16T09:57:04.870Z",
"dateUpdated": "2025-12-10T16:40:32.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}