Multiple vulnerabilities in Deporsite by T-INNOVA

Posted date 02/09/2025
Identificador
INCIBE-2024-0466
Importance
3 - Medium
Affected Resources

Deporsite, versions prior to DSuite 2025 v02.14.1115.

Description

INCIBE has coordinated the publication of two medium-severity vulnerabilities affecting Deporsite by T-INNOVA, a software programme for managing sports centres. The vulnerabilities were discovered by Héctor Sarrión.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2025-41030 and CVE-2025-41031: CVSS v4.0: 6.9 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-863
Solution

The vulnerabilities have been fixed by T-INNOVA in version DSuite 2025 v02.14.1115.

Detail
  • CVE-2025-41030: lack of authorisation in Deporsite by T-INNOVA. This vulnerability allows an unauthenticated attacker to obtain information from other users via GET ‘/ajax/TInnova_v2/Integrantes_Recurso_v2_1/llamadaAjax/buscarPersona’ using the ‘dni’ parameter.
  • CVE-2025-41031: lack of authorisation in Deporsite by T-INNOVA. This vulnerability allows an unauthenticated attacker to change other users' profile pictures via a POST request using the parameters ‘IdPersona’ and “Foto” in ‘/ajax/TInnova_c/FotoUsuario/llamadaAjax/uploadImage’.
CVE
Explotación
No