CVE-2025-34293 HIGH

CVE-2025-34293: GN4 Publishing System Insecure Direct Object Reference (IDOR) Information Disclosure

Vendor Naviga Global / Miles 33
Product GN4 Publishing System
Weakness CWE-639 · IDOR
Published October 24, 2025
Last update May 14, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference (IDOR) vulnerability via the API. Authenticated requests to the API's object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users, including the stored password and the account's security question and answer. The exposed recovery data and encrypted password may be used to reset or take over the target account.

Key dates

02Disclosure timeline

October 24, 2025 CVE published
May 14, 2026 Record updated