CVE-2025-1270: Insecure direct object reference (IDOR) vulnerability in H6Web

9.1 CVSS

Description

Insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the “pkrelated” parameter in the “/h6web/ha_datos_hermano.php” endpoint to refer to another user. In addition, the first request could also allow the attacker to impersonate other users. As a result, all requests made after exploitation of the IDOR vulnerability will be executed with the privileges of the impersonated user.

Classification

CVE ID: CVE-2025-1270

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Affected Products

Vendor: Anapi Group

Product: H6Web

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.98% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-anapi-group-h6web

Timeline

2025-02-13 12:00:31 UTC
Incibe CERT

Múltiples vulnerabilidades en h6web de Grupo Anapi
2025-02-14 00:32:31 UTC
CVE

Insecure direct object reference (IDOR) vulnerability in H6Web