CVE-2025-3013 - Vulnerability Details - OpenCVE

Insecure Direct Object References (IDOR) in access control in Customer Portal before 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://bug.report.night-wolf.io/changelogs

History

Mon, 31 Mar 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 31 Mar 2025 04:00:00 +0000

Type	Values Removed	Values Added
Description	Insecure Direct Object References (IDOR) in access control in Customer Portal 2.14 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references.	Insecure Direct Object References (IDOR) in access control in Customer Portal before 2.1.4 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references.

Mon, 31 Mar 2025 03:45:00 +0000

Type	Values Removed	Values Added
Description		Insecure Direct Object References (IDOR) in access control in Customer Portal 2.14 on NightWolf Penetration Testing allows an attacker to access via manipulating request parameters or object references.
Title		Insecure direct object references (IDOR) in NightWolf Penetration Platform
Weaknesses		CWE-285
References		https://bug.report.night-wolf.io/changelogs
Metrics		cvssV4_0 `{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: FSOFT

Published: 2025-03-31T03:40:04.534Z

Updated: 2025-03-31T15:55:30.308Z

Reserved: 2025-03-31T03:26:43.696Z

Link: CVE-2025-3013

Vulnrichment

Updated: 2025-03-31T15:54:50.053Z

NVD

Status : Awaiting Analysis

Published: 2025-03-31T04:15:21.297

Modified: 2025-04-01T20:26:30.593

Link: CVE-2025-3013

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-3013", "assignerOrgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "state": "PUBLISHED", "assignerShortName": "FSOFT", "dateReserved": "2025-03-31T03:26:43.696Z", "datePublished": "2025-03-31T03:40:04.534Z", "dateUpdated": "2025-03-31T15:55:30.308Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["portal"], "product": "NightWolf Penetration Platform", "vendor": "FPT Software", "versions": [{"lessThanOrEqual": "2.1.4", "status": "affected", "version": "2.1.2", "versionType": "custom"}, {"status": "unaffected", "version": "2.1.5", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Phan Quang Bao (quangbao368@gmail.com)"}], "datePublic": "2025-03-31T03:29:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insecure Direct Object References (IDOR) in access control in Customer Portal before 2.1.4 on NightWolf <span style=\"background-color: rgb(255, 255, 255);\">Penetration Testing </span>allows an attacker to access via manipulating request parameters or object references.<br><br>"}], "value": "Insecure Direct Object References (IDOR) in access control in Customer Portal before 2.1.4 on NightWolf\u00a0Penetration Testing\u00a0allows an attacker to access via manipulating request parameters or object references."}], "impacts": [{"capecId": "CAPEC-27", "descriptions": [{"lang": "en", "value": "CAPEC-27: Leveraging Trust in Client"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.3, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285: Improper Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "shortName": "FSOFT", "dateUpdated": "2025-03-31T03:45:01.982Z"}, "references": [{"url": "https://bug.report.night-wolf.io/changelogs"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2025-03-27T10:00:00.000Z", "value": "The reporter submits the vulnerability to security_report@fpt.com."}, {"lang": "en", "time": "2025-03-28T01:00:00.000Z", "value": "The security team verifies the issue and provides a fixing solution."}, {"lang": "en", "time": "2025-03-29T08:00:00.000Z", "value": "The security team releases the fix, retests the issue, and closes the vulnerability."}, {"lang": "en", "time": "2025-03-31T02:00:00.000Z", "value": "Assign a CVE to the reporter."}], "title": "Insecure direct object references (IDOR) in NightWolf Penetration Platform", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-31T15:53:42.558887Z", "id": "CVE-2025-3013", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T15:55:30.308Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3013", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-31T15:53:42.558887Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T15:54:50.053Z"}}], "cna": {"title": "Insecure direct object references (IDOR) in NightWolf Penetration Platform", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Phan Quang Bao (quangbao368@gmail.com)"}], "impacts": [{"capecId": "CAPEC-27", "descriptions": [{"lang": "en", "value": "CAPEC-27: Leveraging Trust in Client"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "FPT Software", "modules": ["portal"], "product": "NightWolf Penetration Platform", "versions": [{"status": "affected", "version": "2.1.2", "versionType": "custom", "lessThanOrEqual": "2.1.4"}, {"status": "unaffected", "version": "2.1.5", "versionType": "custom"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-27T10:00:00.000Z", "value": "The reporter submits the vulnerability to security_report@fpt.com."}, {"lang": "en", "time": "2025-03-28T01:00:00.000Z", "value": "The security team verifies the issue and provides a fixing solution."}, {"lang": "en", "time": "2025-03-29T08:00:00.000Z", "value": "The security team releases the fix, retests the issue, and closes the vulnerability."}, {"lang": "en", "time": "2025-03-31T02:00:00.000Z", "value": "Assign a CVE to the reporter."}], "datePublic": "2025-03-31T03:29:00.000Z", "references": [{"url": "https://bug.report.night-wolf.io/changelogs"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Insecure Direct Object References (IDOR) in access control in Customer Portal before 2.1.4 on NightWolf\u00a0Penetration Testing\u00a0allows an attacker to access via manipulating request parameters or object references.", "supportingMedia": [{"type": "text/html", "value": "Insecure Direct Object References (IDOR) in access control in Customer Portal before 2.1.4 on NightWolf <span style=\"background-color: rgb(255, 255, 255);\">Penetration Testing </span>allows an attacker to access via manipulating request parameters or object references.<br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "shortName": "FSOFT", "dateUpdated": "2025-03-31T03:45:01.982Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3013", "state": "PUBLISHED", "dateUpdated": "2025-03-31T15:55:30.308Z", "dateReserved": "2025-03-31T03:26:43.696Z", "assignerOrgId": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "datePublished": "2025-03-31T03:40:04.534Z", "assignerShortName": "FSOFT"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insecure Direct Object References (IDOR) in access control in Customer Portal before 2.1.4 on NightWolf\u00a0Penetration Testing\u00a0allows an attacker to access via manipulating request parameters or object references."}, {"lang": "es", "value": "Las referencias directas a objetos inseguras (IDOR) en Customer Portal anterior a la versi\u00f3n 2.1.4 en las pruebas de penetraci\u00f3n de NightWolf permiten que un atacante acceda mediante la manipulaci\u00f3n de par\u00e1metros de solicitud o referencias de objetos."}], "id": "CVE-2025-3013", "lastModified": "2025-04-01T20:26:30.593", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "type": "Secondary"}]}, "published": "2025-03-31T04:15:21.297", "references": [{"source": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "url": "https://bug.report.night-wolf.io/changelogs"}], "sourceIdentifier": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "5ac195ad-69e7-48e7-9c1e-bfc958c39761", "type": "Secondary"}]}