← back
CVE-2025-41358

Direct reference to insecure objects (IDOR) in CronosWeb from CronosWeb i2A

CVSS 8.3 HIGHEPSS 0.3%CWE-639
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.3EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
10 Dec 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Direct Object Reference Vulnerability (IDOR) in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in '/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas'.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Affected products
CronosWeb i2A · CronosWeb

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.incibe.es/en/incibe-cert/notices/aviso/direct-reference-insecure-objects-idor-cronosweb-cronosweb-i2a