Direct reference to insecure objects (IDOR) in CronosWeb from CronosWeb i2A
CronosWeb, version 25.00, and CronosWeb version 24.05.
INCIBE has coordinated the publication of a high-severity vulnerability affecting CronosWeb by CronosWeb i2A, a platform for managing reservations, activities, and services for sports and municipal facilities. The vulnerability was discovered by Félix Sánchez Medina.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:
- CVE-2025-41358: CVSS v4.0: 8.3 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N | CWE-639
The vulnerability has been fixed in CronosWeb version 25.01 (available since December 1, 2025).
CVE-2025-41358: Direct Object Reference Vulnerability (IDOR) in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in '/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas'.
