CVE-2025-2306

{"id": "CVE-2025-2306", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "a341c0d1-ebf7-493f-a84e-38cf86618674", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2025-05-16T13:15:52.307", "references": [{"url": "https://www.cirosec.de/sa/sa-2025-004", "source": "a341c0d1-ebf7-493f-a84e-38cf86618674"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "a341c0d1-ebf7-493f-a84e-38cf86618674", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "An Improper Access Control vulnerability was\nidentified in the file download functionality. This vulnerability allows users\nto download sensitive documents without authentication, if the URL is known.\n\n\n\nThe attack\nrequires the attacker to know the documents UUIDv4."}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad de control de acceso inadecuado en la funcionalidad de descarga de archivos. Esta vulnerabilidad permite a los usuarios descargar documentos confidenciales sin autenticaci\u00f3n si se conoce la URL. El ataque requiere que el atacante conozca el UUIDv4 de los documentos."}], "lastModified": "2025-05-16T14:42:18.700", "sourceIdentifier": "a341c0d1-ebf7-493f-a84e-38cf86618674"}