CVE-2025-45968

An issue in System PDV v1.0 allows a remote attacker to obtain sensitive information via the hash parameter in a URL. The application contains an Insecure Direct Object Reference (IDOR) vulnerability, which occurs due to a lack of proper authorization checks when accessing objects referenced by this parameter. This allows direct access to other users' data or internal resources without proper permission. Successful exploitation of this flaw may result in the exposure of sensitive information.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://medium.com/@r3dd1t/pedindo-um-lanche-e-possivelemnte-descobrindo-uma-cve-9930b0114e3f	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:system_pdv_project:system_pdv:1.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-25 14:15

Updated : 2025-10-21 13:51

NVD link : CVE-2025-45968

Mitre link : CVE-2025-45968

CVE.ORG link : CVE-2025-45968

JSON object : View

Products Affected

system_pdv_project

system_pdv

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2025-45968", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-08-25T14:15:31.210", "references": [{"url": "https://medium.com/@r3dd1t/pedindo-um-lanche-e-possivelemnte-descobrindo-uma-cve-9930b0114e3f", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "An issue in System PDV v1.0 allows a remote attacker to obtain sensitive information via the hash parameter in a URL. The application contains an Insecure Direct Object Reference (IDOR) vulnerability, which occurs due to a lack of proper authorization checks when accessing objects referenced by this parameter. This allows direct access to other users' data or internal resources without proper permission. Successful exploitation of this flaw may result in the exposure of sensitive information."}, {"lang": "es", "value": "Un problema en System PDV v1.0 permite a un atacante remoto obtener informaci\u00f3n confidencial mediante el par\u00e1metro hash de una URL. La aplicaci\u00f3n contiene una vulnerabilidad de Referencia Directa a Objetos Insegura (IDOR), que se produce debido a la falta de comprobaciones de autorizaci\u00f3n adecuadas al acceder a los objetos referenciados por este par\u00e1metro. Esto permite el acceso directo a los datos o recursos internos de otros usuarios sin el permiso correspondiente. La explotaci\u00f3n exitosa de esta vulnerabilidad puede resultar en la exposici\u00f3n de informaci\u00f3n confidencial."}], "lastModified": "2025-10-21T13:51:24.520", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:system_pdv_project:system_pdv:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "42839336-C589-4EEC-848A-A9C468E57805"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}