CVE-2025-1270 CRITICAL

CVE-2025-1270: Insecure direct object reference (IDOR) vulnerability in H6Web

Vendor Anapi Group
Product H6Web
Weakness CWE-639 · IDOR
Published February 13, 2025
Last update February 13, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

What the vulnerability does

01Description

Insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the “pkrelated” parameter in the “/h6web/ha_datos_hermano.php” endpoint to refer to another user. In addition, the first request could also allow the attacker to impersonate other users. As a result, all requests made after exploitation of the IDOR vulnerability will be executed with the privileges of the impersonated user.

Key dates

02Disclosure timeline

February 13, 2025 CVE published
February 13, 2025 Record updated