Missing Authorization in DinoRANK

Posted date 28/05/2025

Identificador

INCIBE-2025-0275

Importance

3 - Medium

Affected Resources

DinoRANK

Description

INCIBE has coordinated the publication of a medium severity vulnerability affecting DinoRANK, a SEO tool. The vulnerability was discovered by Pablo Alcarria.

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:

CVE-2025-40673: CVSS v4.0: 5.3 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-862

Solution

The vulnerability has been fixed by DinoRANK team in the latest version.

Detail

CVE-2025-40673: A Missing Authorization vulnerability has been found in DinoRANK. This vulnerability allows an attacker to access invoices of any user via accessing endpoint '/facturas/YYYY-MM/SDRYYMM-XXXXX.pdf' because there is no access control. The pdf filename can be obtained via OSINT, insecure network traffic or brute force.

References list

DinoRANK

Etiquetas

0day
Update
CNA
Vulnerability