Insufficient Data Authenticity in Janto Affects Email Password Reset Functionality
CVE-2025-1108

8.6HIGH

Key Information:

Vendor: Impronta
Status: Janto
Vendor: CVE Published:; 7 February 2025

What is CVE-2025-1108?

A vulnerability exists in Janto that permits unauthenticated attackers to manipulate email content associated with password reset requests. This flaw arises from inadequate verification of data authenticity, which can be exploited by sending a crafted POST request that injects malicious data into the 'Xml' parameter of the '/public/cgi/Gateway.php' endpoint. Attackers leveraging this vulnerability may compromise user accounts by altering reset emails, posing significant risks to user security.

Affected Version(s)

Janto 0

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Feb 7, 2025
Vulnerability Reserved
Feb 7, 2025

Credit

Guzmán Fernández Ocaña

Impronta

What is CVE-2025-1108?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit