Improper Access Control in EmbedAI Affects User Subscription Information
CVE-2025-0739

8.6HIGH

Key Information:

Vendor: Embedai
Status: Embedai
Vendor: CVE Published:; 30 January 2025

Summary

An Improper Access Control vulnerability exists in EmbedAI versions up to 2.1. This flaw enables authenticated attackers to access and display subscription information of other users by manipulating the 'SUBSCRIPTION_ID' parameter in the endpoint '/demos/embedai/subscriptions/show/<SUBSCRIPTION_ID>'. This could potentially lead to unauthorized disclosure of sensitive user data.

Affected Version(s)

EmbedAI 0 < 2.1

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 30, 2025
Vulnerability Reserved
Jan 27, 2025

Credit

David Utón Amaya (m3n0sd0n4ld)