Insecure Direct Object Reference in Anapi Group's H6Web
CVE-2025-1270

9.1CRITICAL

Key Information:

Vendor: Anapi Group
Status: H6web
Vendor: CVE Published:; 13 February 2025

🔔 Create Anapi Group Vulnerability Alert

What is CVE-2025-1270?

The h6web product by Anapi Group is affected by an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated attackers to access other users' private information. This flaw is exploited through manipulation of the 'pkrelated' parameter in the '/h6web/ha_datos_hermano.php' endpoint, enabling attackers to make POST requests to view another user's data. Moreover, the initial exploitation allows the attacker to impersonate other users, leading to further unauthorized privileges on subsequent requests.

Affected Version(s)

H6Web all versions

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 13, 2025
Vulnerability Reserved
Feb 13, 2025

Credit

Bertrand Lorente Yáñez