Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in CanalDenuncia.app

Posted date 24/10/2025
Identificador
INCIBE-2025-0588
Importance
4 - High
Affected Resources

CanalDenuncia.app, versions prior to v4.4.8.

Description

INCIBE has coordinated the publication of 15 high-severity vulnerabilities affecting CanalDenuncia.app, a software platform for creating and managing internal reporting channels in companies. The vulnerabilities were discovered by David Utón Amaya (m3n0sd0n4ld).

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2025-41111 to CVE-2025-41114 and from CVE-2025-41335 to CVE-2025-41345: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-862
Solution

The reported vulnerabilities have been fixed by the CanalDenuncia.app team in version 4.4.8.

Detail

A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST request.

The list of parameters and assigned identifiers is as follows:

  • CVE-2025-41111: parameter 'id_denuncia' in '/backend/api/buscarComentariosByDenuncia.php'.
  • CVE-2025-41112: parameter 'web' in '/backend/api/buscarConfiguracionParametros2.php'.
  • CVE-2025-41113: parameter 'id_denuncia' in '/backend/api/buscarDenunciaByPin.php'.
  • CVE-2025-41114: parameters 'id_denuncia' and 'id_user' in '/backend/api/buscarDocumentosByIdDenunciaUsuario.php'.
  • CVE-2025-41135: parameters 'id' and ' 'id_sociedad' in '/api/buscarEmpresaById.php'.
  • CVE-2025-41136: parameter 'web' in '/backend/api/buscarConfiguracionParametros.php'.
  • CVE-2025-41137: parameter 'web' in '/backend/api/buscarSSOParametros.php'.
  • CVE-2025-41138: parameters 'id_denuncia' and 'id_user' in '/backend/api/buscarTestigoByIdDenunciaUsuario.php'.
  • CVE-2025-41139: parameter 'id_sociedad' in '/backend/api/buscarTipoDenuncia.php'.
  • CVE-2025-41140: parameters 'id_tp_denuncia' and 'id_sociedad' in '/backend/api/buscarTipoDenunciabyId.php'.
  • CVE-2025-41141: parameters 'id_denuncia' and 'seguro' in '/backend/api/buscarUsuarioByDenuncia.php'.
  • CVE-2025-41142: parameter 'id_user' in '/backend/api/buscarUsuarioId.php'.
  • CVE-2025-41143: parameter 'email' in '/backend/api/users/searchUserByEmail.php'.
  • CVE-2025-41144: parameter 'id_archivo' in '/backend/api/verArchivo.php'.
  • CVE-2025-41145: parameters 'id_denuncia' and 'id_user' in '/backend/api/buscarDenunciasById.php'.
CVE
Explotación
No
References list
CanalDenuncia.app
Etiquetas