CVE-2025-41358 HIGH

CVE-2025-41358: Direct reference to insecure objects (IDOR) in CronosWeb from CronosWeb i2A

Vendor Cronosweb I2A
Product CronosWeb
Weakness CWE-639 · IDOR
Published December 10, 2025
Last update December 10, 2025

CVSS base score

8.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

What the vulnerability does

01Description

Direct Object Reference Vulnerability (IDOR) in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in '/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas'.

Key dates

02Disclosure timeline

December 10, 2025 CVE published
December 10, 2025 Record updated