CVE-2025-2271: IDOR in Issuetrak NewAuditID parameter via Inv_PopTrakXShow.asp
Description
A vulnerability exists in Issuetrak v17.2.2 and prior that allows a low-privileged user to access audit results of other users by exploiting an Insecure Direct Object Reference (IDOR) vulnerability in the Issuetrak audit component. The vulnerability enables unauthorized access to sensitive information, including user details, network and hardware information, installed programs, running processes, drives, and printers. Due to improper access controls, an attacker can retrieve audit data belonging to other users, potentially leading to unauthorized data exposure, privacy violations, and security risks.
Classification
CVE ID: CVE-2025-2271
CVSS Base Severity: HIGH
CVSS Base Score: 7.7
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Problem Types
CWE-639 Authorization Bypass Through User-Controlled KeyAffected Products
Vendor: issuetrak
Product: audit
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.03% (probability of being exploited)
EPSS Percentile: 6.58% (scored less or equal to compared to others)
EPSS Date: 2025-04-11 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-2271https://helpcenter.issuetrak.com/home/2340-issuetrak-release-notes