Multiple vulnerabilities in BBMRI-ERIC Negotiator
Posted date 07/10/2025
Identificador
INCIBE-2025-0543
Importance
3 - Medium
Affected Resources
Negotiator, versions prior to 3.15.5.
Description
INCIBE has coordinated the publication of two medium-severity vulnerabilities affecting BBMRI-ERIC's Negotiator, an open-source access negotiation solution adapted to research infrastructures. The vulnerabilities were discovered by Erlaitz Parreño Muñoz.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- CVE-2025-40649: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
- CVE-2025-40676: CVSS v4.0: 5.3 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-639
Solution
The vulnerabilities have been fixed by the BBMRI-ERIC team in version 3.15.5.
Detail
- CVE-2025-40649: Stored Cross-Site Scripting (XSS) in Biobanking and Biomolecular Resources Negotiator v3.15.2 - European Research Infrastructure (BBMRI-ERIC), consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request using parameter text in '/api/v3/negotiations/<postUID>/posts'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
- CVE-2025-40676: Insecure Direct Object Reference (IDOR) in Negotiator v3.15.2 from Biobanking and Biomolecular Resources - European Research Infrastructure (BBMRI-ERIC). This vulnerability allows an attacker to access or modify unauthorised resources by manipulating requests that use the 'userID' parameter in '/api/v3/users/<userID>', which may result in the exposure or alteration of sensitive data
CVE
Explotación
No
Nuevo Fabricante
BBMRI-ERIC
Identificador CVE
CVE-2025-40649
Severidad
Media
Explotación
No
Nuevo Fabricante
BBMRI-ERIC
Identificador CVE
CVE-2025-40676
Severidad
Media
References list
Etiquetas
