Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for maxun by maxun

    CVE-2025-15106 (GCVE-0-2025-15106)

    Vulnerability from nvd – Published: 2025-12-27 10:32 – Updated: 2025-12-29 15:56
    VLAI
    Title
    getmaxun Authentication Endpoint auth.ts router.get improper authorization
    Summary
    A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-285 - Improper Authorization
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.338477 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.338477 signaturepermissions-required
    https://vuldb.com/?submit.710268 third-party-advisory
    https://gist.github.com/H2u8s/1a0bdb19d5c8c8f4dc7… exploit
    Impacted products
    Vendor Product Version
    getmaxun maxun Affected: 0.0.1
    Affected: 0.0.2
    Affected: 0.0.3
    Affected: 0.0.4
    Affected: 0.0.5
    Affected: 0.0.6
    Affected: 0.0.7
    Affected: 0.0.8
    Affected: 0.0.9
    Affected: 0.0.10
    Affected: 0.0.11
    Affected: 0.0.12
    Affected: 0.0.13
    Affected: 0.0.14
    Affected: 0.0.15
    Affected: 0.0.16
    Affected: 0.0.17
    Affected: 0.0.18
    Affected: 0.0.19
    Affected: 0.0.20
    Affected: 0.0.21
    Affected: 0.0.22
    Affected: 0.0.23
    Affected: 0.0.24
    Affected: 0.0.25
    Affected: 0.0.26
    Affected: 0.0.27
    Affected: 0.0.28
    Create a notification for this product.
    Credits
    28Hus (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-15106",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-29T15:56:07.291523Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-29T15:56:17.889Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Authentication Endpoint"
              ],
              "product": "maxun",
              "vendor": "getmaxun",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.0.1"
                },
                {
                  "status": "affected",
                  "version": "0.0.2"
                },
                {
                  "status": "affected",
                  "version": "0.0.3"
                },
                {
                  "status": "affected",
                  "version": "0.0.4"
                },
                {
                  "status": "affected",
                  "version": "0.0.5"
                },
                {
                  "status": "affected",
                  "version": "0.0.6"
                },
                {
                  "status": "affected",
                  "version": "0.0.7"
                },
                {
                  "status": "affected",
                  "version": "0.0.8"
                },
                {
                  "status": "affected",
                  "version": "0.0.9"
                },
                {
                  "status": "affected",
                  "version": "0.0.10"
                },
                {
                  "status": "affected",
                  "version": "0.0.11"
                },
                {
                  "status": "affected",
                  "version": "0.0.12"
                },
                {
                  "status": "affected",
                  "version": "0.0.13"
                },
                {
                  "status": "affected",
                  "version": "0.0.14"
                },
                {
                  "status": "affected",
                  "version": "0.0.15"
                },
                {
                  "status": "affected",
                  "version": "0.0.16"
                },
                {
                  "status": "affected",
                  "version": "0.0.17"
                },
                {
                  "status": "affected",
                  "version": "0.0.18"
                },
                {
                  "status": "affected",
                  "version": "0.0.19"
                },
                {
                  "status": "affected",
                  "version": "0.0.20"
                },
                {
                  "status": "affected",
                  "version": "0.0.21"
                },
                {
                  "status": "affected",
                  "version": "0.0.22"
                },
                {
                  "status": "affected",
                  "version": "0.0.23"
                },
                {
                  "status": "affected",
                  "version": "0.0.24"
                },
                {
                  "status": "affected",
                  "version": "0.0.25"
                },
                {
                  "status": "affected",
                  "version": "0.0.26"
                },
                {
                  "status": "affected",
                  "version": "0.0.27"
                },
                {
                  "status": "affected",
                  "version": "0.0.28"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "28Hus (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-27T10:32:05.218Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-338477 | getmaxun Authentication Endpoint auth.ts router.get improper authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.338477"
            },
            {
              "name": "VDB-338477 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.338477"
            },
            {
              "name": "Submit #710268 | https://github.com/getmaxun https://github.com/getmaxun/maxun  \u2264 v0.0.28 Authentication Bypass Issues",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.710268"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/H2u8s/1a0bdb19d5c8c8f4dc72cb49ffe9a22b"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-26T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-12-26T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-12-26T19:16:07.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "getmaxun Authentication Endpoint auth.ts router.get improper authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-15106",
        "datePublished": "2025-12-27T10:32:05.218Z",
        "dateReserved": "2025-12-26T18:10:58.997Z",
        "dateUpdated": "2025-12-29T15:56:17.889Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15105 (GCVE-0-2025-15105)

    Vulnerability from nvd – Published: 2025-12-27 09:02 – Updated: 2025-12-29 15:55
    VLAI
    Title
    getmaxun auth.ts hard-coded key
    Summary
    A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-321 - Use of Hard-coded Cryptographic Key
    • CWE-320 - Key Management Error
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.338476 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.338476 signaturepermissions-required
    https://vuldb.com/?submit.710256 third-party-advisory
    https://gist.github.com/H2u8s/40be31987e52fc81076… exploit
    Impacted products
    Vendor Product Version
    getmaxun maxun Affected: 0.0.1
    Affected: 0.0.2
    Affected: 0.0.3
    Affected: 0.0.4
    Affected: 0.0.5
    Affected: 0.0.6
    Affected: 0.0.7
    Affected: 0.0.8
    Affected: 0.0.9
    Affected: 0.0.10
    Affected: 0.0.11
    Affected: 0.0.12
    Affected: 0.0.13
    Affected: 0.0.14
    Affected: 0.0.15
    Affected: 0.0.16
    Affected: 0.0.17
    Affected: 0.0.18
    Affected: 0.0.19
    Affected: 0.0.20
    Affected: 0.0.21
    Affected: 0.0.22
    Affected: 0.0.23
    Affected: 0.0.24
    Affected: 0.0.25
    Affected: 0.0.26
    Affected: 0.0.27
    Affected: 0.0.28
    Create a notification for this product.
    Credits
    28Hus (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-15105",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-29T15:54:53.991053Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-29T15:55:05.915Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "maxun",
              "vendor": "getmaxun",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.0.1"
                },
                {
                  "status": "affected",
                  "version": "0.0.2"
                },
                {
                  "status": "affected",
                  "version": "0.0.3"
                },
                {
                  "status": "affected",
                  "version": "0.0.4"
                },
                {
                  "status": "affected",
                  "version": "0.0.5"
                },
                {
                  "status": "affected",
                  "version": "0.0.6"
                },
                {
                  "status": "affected",
                  "version": "0.0.7"
                },
                {
                  "status": "affected",
                  "version": "0.0.8"
                },
                {
                  "status": "affected",
                  "version": "0.0.9"
                },
                {
                  "status": "affected",
                  "version": "0.0.10"
                },
                {
                  "status": "affected",
                  "version": "0.0.11"
                },
                {
                  "status": "affected",
                  "version": "0.0.12"
                },
                {
                  "status": "affected",
                  "version": "0.0.13"
                },
                {
                  "status": "affected",
                  "version": "0.0.14"
                },
                {
                  "status": "affected",
                  "version": "0.0.15"
                },
                {
                  "status": "affected",
                  "version": "0.0.16"
                },
                {
                  "status": "affected",
                  "version": "0.0.17"
                },
                {
                  "status": "affected",
                  "version": "0.0.18"
                },
                {
                  "status": "affected",
                  "version": "0.0.19"
                },
                {
                  "status": "affected",
                  "version": "0.0.20"
                },
                {
                  "status": "affected",
                  "version": "0.0.21"
                },
                {
                  "status": "affected",
                  "version": "0.0.22"
                },
                {
                  "status": "affected",
                  "version": "0.0.23"
                },
                {
                  "status": "affected",
                  "version": "0.0.24"
                },
                {
                  "status": "affected",
                  "version": "0.0.25"
                },
                {
                  "status": "affected",
                  "version": "0.0.26"
                },
                {
                  "status": "affected",
                  "version": "0.0.27"
                },
                {
                  "status": "affected",
                  "version": "0.0.28"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "28Hus (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key\r . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 2.6,
                "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "Use of Hard-coded Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-320",
                  "description": "Key Management Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-27T09:02:06.124Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-338476 | getmaxun auth.ts hard-coded key",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.338476"
            },
            {
              "name": "VDB-338476 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.338476"
            },
            {
              "name": "Submit #710256 | https://github.com/getmaxun https://github.com/getmaxun/maxun  \u2264 v0.0.28 Authentication Bypass by Primary Weakness",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.710256"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/H2u8s/40be31987e52fc81076b6bfcfbdf3cd6"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-26T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-12-26T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-12-26T19:16:05.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "getmaxun auth.ts hard-coded key"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-15105",
        "datePublished": "2025-12-27T09:02:06.124Z",
        "dateReserved": "2025-12-26T18:10:50.723Z",
        "dateUpdated": "2025-12-29T15:55:05.915Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15106 (GCVE-0-2025-15106)

    Vulnerability from cvelistv5 – Published: 2025-12-27 10:32 – Updated: 2025-12-29 15:56
    VLAI
    Title
    getmaxun Authentication Endpoint auth.ts router.get improper authorization
    Summary
    A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-285 - Improper Authorization
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.338477 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.338477 signaturepermissions-required
    https://vuldb.com/?submit.710268 third-party-advisory
    https://gist.github.com/H2u8s/1a0bdb19d5c8c8f4dc7… exploit
    Impacted products
    Vendor Product Version
    getmaxun maxun Affected: 0.0.1
    Affected: 0.0.2
    Affected: 0.0.3
    Affected: 0.0.4
    Affected: 0.0.5
    Affected: 0.0.6
    Affected: 0.0.7
    Affected: 0.0.8
    Affected: 0.0.9
    Affected: 0.0.10
    Affected: 0.0.11
    Affected: 0.0.12
    Affected: 0.0.13
    Affected: 0.0.14
    Affected: 0.0.15
    Affected: 0.0.16
    Affected: 0.0.17
    Affected: 0.0.18
    Affected: 0.0.19
    Affected: 0.0.20
    Affected: 0.0.21
    Affected: 0.0.22
    Affected: 0.0.23
    Affected: 0.0.24
    Affected: 0.0.25
    Affected: 0.0.26
    Affected: 0.0.27
    Affected: 0.0.28
    Create a notification for this product.
    Credits
    28Hus (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-15106",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-29T15:56:07.291523Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-29T15:56:17.889Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Authentication Endpoint"
              ],
              "product": "maxun",
              "vendor": "getmaxun",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.0.1"
                },
                {
                  "status": "affected",
                  "version": "0.0.2"
                },
                {
                  "status": "affected",
                  "version": "0.0.3"
                },
                {
                  "status": "affected",
                  "version": "0.0.4"
                },
                {
                  "status": "affected",
                  "version": "0.0.5"
                },
                {
                  "status": "affected",
                  "version": "0.0.6"
                },
                {
                  "status": "affected",
                  "version": "0.0.7"
                },
                {
                  "status": "affected",
                  "version": "0.0.8"
                },
                {
                  "status": "affected",
                  "version": "0.0.9"
                },
                {
                  "status": "affected",
                  "version": "0.0.10"
                },
                {
                  "status": "affected",
                  "version": "0.0.11"
                },
                {
                  "status": "affected",
                  "version": "0.0.12"
                },
                {
                  "status": "affected",
                  "version": "0.0.13"
                },
                {
                  "status": "affected",
                  "version": "0.0.14"
                },
                {
                  "status": "affected",
                  "version": "0.0.15"
                },
                {
                  "status": "affected",
                  "version": "0.0.16"
                },
                {
                  "status": "affected",
                  "version": "0.0.17"
                },
                {
                  "status": "affected",
                  "version": "0.0.18"
                },
                {
                  "status": "affected",
                  "version": "0.0.19"
                },
                {
                  "status": "affected",
                  "version": "0.0.20"
                },
                {
                  "status": "affected",
                  "version": "0.0.21"
                },
                {
                  "status": "affected",
                  "version": "0.0.22"
                },
                {
                  "status": "affected",
                  "version": "0.0.23"
                },
                {
                  "status": "affected",
                  "version": "0.0.24"
                },
                {
                  "status": "affected",
                  "version": "0.0.25"
                },
                {
                  "status": "affected",
                  "version": "0.0.26"
                },
                {
                  "status": "affected",
                  "version": "0.0.27"
                },
                {
                  "status": "affected",
                  "version": "0.0.28"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "28Hus (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-27T10:32:05.218Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-338477 | getmaxun Authentication Endpoint auth.ts router.get improper authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.338477"
            },
            {
              "name": "VDB-338477 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.338477"
            },
            {
              "name": "Submit #710268 | https://github.com/getmaxun https://github.com/getmaxun/maxun  \u2264 v0.0.28 Authentication Bypass Issues",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.710268"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/H2u8s/1a0bdb19d5c8c8f4dc72cb49ffe9a22b"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-26T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-12-26T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-12-26T19:16:07.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "getmaxun Authentication Endpoint auth.ts router.get improper authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-15106",
        "datePublished": "2025-12-27T10:32:05.218Z",
        "dateReserved": "2025-12-26T18:10:58.997Z",
        "dateUpdated": "2025-12-29T15:56:17.889Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15105 (GCVE-0-2025-15105)

    Vulnerability from cvelistv5 – Published: 2025-12-27 09:02 – Updated: 2025-12-29 15:55
    VLAI
    Title
    getmaxun auth.ts hard-coded key
    Summary
    A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-321 - Use of Hard-coded Cryptographic Key
    • CWE-320 - Key Management Error
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.338476 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.338476 signaturepermissions-required
    https://vuldb.com/?submit.710256 third-party-advisory
    https://gist.github.com/H2u8s/40be31987e52fc81076… exploit
    Impacted products
    Vendor Product Version
    getmaxun maxun Affected: 0.0.1
    Affected: 0.0.2
    Affected: 0.0.3
    Affected: 0.0.4
    Affected: 0.0.5
    Affected: 0.0.6
    Affected: 0.0.7
    Affected: 0.0.8
    Affected: 0.0.9
    Affected: 0.0.10
    Affected: 0.0.11
    Affected: 0.0.12
    Affected: 0.0.13
    Affected: 0.0.14
    Affected: 0.0.15
    Affected: 0.0.16
    Affected: 0.0.17
    Affected: 0.0.18
    Affected: 0.0.19
    Affected: 0.0.20
    Affected: 0.0.21
    Affected: 0.0.22
    Affected: 0.0.23
    Affected: 0.0.24
    Affected: 0.0.25
    Affected: 0.0.26
    Affected: 0.0.27
    Affected: 0.0.28
    Create a notification for this product.
    Credits
    28Hus (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-15105",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-29T15:54:53.991053Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-29T15:55:05.915Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "maxun",
              "vendor": "getmaxun",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.0.1"
                },
                {
                  "status": "affected",
                  "version": "0.0.2"
                },
                {
                  "status": "affected",
                  "version": "0.0.3"
                },
                {
                  "status": "affected",
                  "version": "0.0.4"
                },
                {
                  "status": "affected",
                  "version": "0.0.5"
                },
                {
                  "status": "affected",
                  "version": "0.0.6"
                },
                {
                  "status": "affected",
                  "version": "0.0.7"
                },
                {
                  "status": "affected",
                  "version": "0.0.8"
                },
                {
                  "status": "affected",
                  "version": "0.0.9"
                },
                {
                  "status": "affected",
                  "version": "0.0.10"
                },
                {
                  "status": "affected",
                  "version": "0.0.11"
                },
                {
                  "status": "affected",
                  "version": "0.0.12"
                },
                {
                  "status": "affected",
                  "version": "0.0.13"
                },
                {
                  "status": "affected",
                  "version": "0.0.14"
                },
                {
                  "status": "affected",
                  "version": "0.0.15"
                },
                {
                  "status": "affected",
                  "version": "0.0.16"
                },
                {
                  "status": "affected",
                  "version": "0.0.17"
                },
                {
                  "status": "affected",
                  "version": "0.0.18"
                },
                {
                  "status": "affected",
                  "version": "0.0.19"
                },
                {
                  "status": "affected",
                  "version": "0.0.20"
                },
                {
                  "status": "affected",
                  "version": "0.0.21"
                },
                {
                  "status": "affected",
                  "version": "0.0.22"
                },
                {
                  "status": "affected",
                  "version": "0.0.23"
                },
                {
                  "status": "affected",
                  "version": "0.0.24"
                },
                {
                  "status": "affected",
                  "version": "0.0.25"
                },
                {
                  "status": "affected",
                  "version": "0.0.26"
                },
                {
                  "status": "affected",
                  "version": "0.0.27"
                },
                {
                  "status": "affected",
                  "version": "0.0.28"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "28Hus (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key\r . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 2.6,
                "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "Use of Hard-coded Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-320",
                  "description": "Key Management Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-27T09:02:06.124Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-338476 | getmaxun auth.ts hard-coded key",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.338476"
            },
            {
              "name": "VDB-338476 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.338476"
            },
            {
              "name": "Submit #710256 | https://github.com/getmaxun https://github.com/getmaxun/maxun  \u2264 v0.0.28 Authentication Bypass by Primary Weakness",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.710256"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/H2u8s/40be31987e52fc81076b6bfcfbdf3cd6"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-26T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-12-26T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-12-26T19:16:05.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "getmaxun auth.ts hard-coded key"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-15105",
        "datePublished": "2025-12-27T09:02:06.124Z",
        "dateReserved": "2025-12-26T18:10:50.723Z",
        "dateUpdated": "2025-12-29T15:55:05.915Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }