Vulnerability Details CVE-2025-1270
Insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the “pkrelated” parameter in the “/h6web/ha_datos_hermano.php” endpoint to refer to another user. In addition, the first request could also allow the attacker to impersonate other users. As a result, all requests made after exploitation of the IDOR vulnerability will be executed with the privileges of the impersonated user.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 26.0%
CVSS Severity
CVSS v3 Score 9.1
References