Insecure Direct Object Reference in GPS BOLD Workplanner
BOLD Workplanner, versions prior to 2.5.25.
INCIBE has coordinated the publication of 9 vulnerabilities of critical severity, affecting BOLD Workplanner by Global Planning Solutions (GPS), A time management software for human resources. The vulnerabilities were discovered by Ángel González.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- CVE-2025-41091 to CVE-2025-41099: CVSS v4.0: 7.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-639
The vulnerabilities have been fixed by GPS in version 2.5.25.
Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to obtain information such as employee number, first name, last name, national identity number, clock-in records, registered holiday requests, absences, etc. corresponding to any employee of the company using unauthorised internal identifiers.
The list of parameters and assigned identifiers is as follows:
- CVE-2025-41091: access to calendar details using unauthorised internal identifiers.
- CVE-2025-41092: access to time records details using unauthorised internal identifiers.
- CVE-2025-41093: access to basic contract details using unauthorised internal identifiers.
- CVE-2025-41094: access to functional contract details using unauthorised internal identifiers.
- CVE-2025-41095: access to planning counter details using unauthorised internal identifiers.
- CVE-2025-41096: access to the dates of the current contract using unauthorised internal identifiers.
- CVE-2025-41097: access to basic employee details using unauthorised internal identifiers.
- CVE-2025-41098: misuse of the general enquiry web service.
- CVE-2025-41099: access to the list of permissions using unauthorised internal identifiers.