Search

Find a vulnerability

Search criteria

    2 vulnerabilities by Sistemas Pleno

    CVE-2025-10947 (GCVE-0-2025-10947)

    Vulnerability from nvd – Published: 2025-09-25 13:02 – Updated: 2026-03-25 12:30
    VLAI
    Title
    Sistemas Pleno Gestão de Locação CPF validarCpf authorization
    Summary
    A flaw has been found in Sistemas Pleno Gestão de Locação up to 2025.7.x. The impacted element is an unknown function of the file /api/areacliente/pessoa/validarCpf of the component CPF Handler. Executing a manipulation of the argument pes_cpf can lead to authorization bypass. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 2025.8.0 is sufficient to resolve this issue. It is advisable to upgrade the affected component.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Sistemas Pleno Gestão de Locação Affected: 2025.0
    Affected: 2025.1
    Affected: 2025.2
    Affected: 2025.3
    Affected: 2025.4
    Affected: 2025.5
    Affected: 2025.6
    Affected: 2025.7
    Unaffected: 2025.8.0
    Create a notification for this product.
    Credits
    Syrtain (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-10947",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-25T13:14:30.582453Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-25T13:14:33.199Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/lfparizzi/CVE-Sistemas_Pleno/tree/main"
              },
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/lfparizzi/CVE-Sistemas_Pleno/tree/main?tab=readme-ov-file#-proofs"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "CPF Handler"
              ],
              "product": "Gest\u00e3o de Loca\u00e7\u00e3o",
              "vendor": "Sistemas Pleno",
              "versions": [
                {
                  "status": "affected",
                  "version": "2025.0"
                },
                {
                  "status": "affected",
                  "version": "2025.1"
                },
                {
                  "status": "affected",
                  "version": "2025.2"
                },
                {
                  "status": "affected",
                  "version": "2025.3"
                },
                {
                  "status": "affected",
                  "version": "2025.4"
                },
                {
                  "status": "affected",
                  "version": "2025.5"
                },
                {
                  "status": "affected",
                  "version": "2025.6"
                },
                {
                  "status": "affected",
                  "version": "2025.7"
                },
                {
                  "status": "unaffected",
                  "version": "2025.8.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Syrtain (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw has been found in Sistemas Pleno Gest\u00e3o de Loca\u00e7\u00e3o up to 2025.7.x. The impacted element is an unknown function of the file /api/areacliente/pessoa/validarCpf of the component CPF Handler. Executing a manipulation of the argument pes_cpf can lead to authorization bypass. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 2025.8.0 is sufficient to resolve this issue. It is advisable to upgrade the affected component."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "Authorization Bypass",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-25T12:30:18.684Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-325817 | Sistemas Pleno Gest\u00e3o de Loca\u00e7\u00e3o CPF validarCpf authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.325817"
            },
            {
              "name": "VDB-325817 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.325817"
            },
            {
              "name": "Submit #652282 | Sistemas Pleno Gest\u00e3o de Loca\u00e7\u00e3o Prior to 2025.8.0 Insecure Direct Object Reference (IDOR)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.652282"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://github.com/lfparizzi/CVE-Sistemas_Pleno/tree/main"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/lfparizzi/CVE-Sistemas_Pleno/tree/main?tab=readme-ov-file#-proofs"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-09-25T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-09-25T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-09-26T17:12:17.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sistemas Pleno Gest\u00e3o de Loca\u00e7\u00e3o CPF validarCpf authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-10947",
        "datePublished": "2025-09-25T13:02:09.244Z",
        "dateReserved": "2025-09-25T06:01:51.197Z",
        "dateUpdated": "2026-03-25T12:30:18.684Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-10947 (GCVE-0-2025-10947)

    Vulnerability from cvelistv5 – Published: 2025-09-25 13:02 – Updated: 2026-03-25 12:30
    VLAI
    Title
    Sistemas Pleno Gestão de Locação CPF validarCpf authorization
    Summary
    A flaw has been found in Sistemas Pleno Gestão de Locação up to 2025.7.x. The impacted element is an unknown function of the file /api/areacliente/pessoa/validarCpf of the component CPF Handler. Executing a manipulation of the argument pes_cpf can lead to authorization bypass. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 2025.8.0 is sufficient to resolve this issue. It is advisable to upgrade the affected component.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Sistemas Pleno Gestão de Locação Affected: 2025.0
    Affected: 2025.1
    Affected: 2025.2
    Affected: 2025.3
    Affected: 2025.4
    Affected: 2025.5
    Affected: 2025.6
    Affected: 2025.7
    Unaffected: 2025.8.0
    Create a notification for this product.
    Credits
    Syrtain (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-10947",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-25T13:14:30.582453Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-25T13:14:33.199Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/lfparizzi/CVE-Sistemas_Pleno/tree/main"
              },
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/lfparizzi/CVE-Sistemas_Pleno/tree/main?tab=readme-ov-file#-proofs"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "CPF Handler"
              ],
              "product": "Gest\u00e3o de Loca\u00e7\u00e3o",
              "vendor": "Sistemas Pleno",
              "versions": [
                {
                  "status": "affected",
                  "version": "2025.0"
                },
                {
                  "status": "affected",
                  "version": "2025.1"
                },
                {
                  "status": "affected",
                  "version": "2025.2"
                },
                {
                  "status": "affected",
                  "version": "2025.3"
                },
                {
                  "status": "affected",
                  "version": "2025.4"
                },
                {
                  "status": "affected",
                  "version": "2025.5"
                },
                {
                  "status": "affected",
                  "version": "2025.6"
                },
                {
                  "status": "affected",
                  "version": "2025.7"
                },
                {
                  "status": "unaffected",
                  "version": "2025.8.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Syrtain (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw has been found in Sistemas Pleno Gest\u00e3o de Loca\u00e7\u00e3o up to 2025.7.x. The impacted element is an unknown function of the file /api/areacliente/pessoa/validarCpf of the component CPF Handler. Executing a manipulation of the argument pes_cpf can lead to authorization bypass. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 2025.8.0 is sufficient to resolve this issue. It is advisable to upgrade the affected component."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "Authorization Bypass",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-25T12:30:18.684Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-325817 | Sistemas Pleno Gest\u00e3o de Loca\u00e7\u00e3o CPF validarCpf authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.325817"
            },
            {
              "name": "VDB-325817 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.325817"
            },
            {
              "name": "Submit #652282 | Sistemas Pleno Gest\u00e3o de Loca\u00e7\u00e3o Prior to 2025.8.0 Insecure Direct Object Reference (IDOR)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.652282"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://github.com/lfparizzi/CVE-Sistemas_Pleno/tree/main"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/lfparizzi/CVE-Sistemas_Pleno/tree/main?tab=readme-ov-file#-proofs"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-09-25T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-09-25T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-09-26T17:12:17.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sistemas Pleno Gest\u00e3o de Loca\u00e7\u00e3o CPF validarCpf authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-10947",
        "datePublished": "2025-09-25T13:02:09.244Z",
        "dateReserved": "2025-09-25T06:01:51.197Z",
        "dateUpdated": "2026-03-25T12:30:18.684Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }