Multiple vulnerabilities in Prevengos by Nedatec Consulting
Posted date 25/09/2025
Identificador
INCIBE-2025-0517
Importance
4 - High
Affected Resources
Prevengos, versions prior to 2.48.
Description
INCIBE has coordinated the publication of two vulnerabilities, one high severity and one medium severity, affecting Prevengos by Nedatec Consulting, an occupational health and safety management software. The vulnerabilities were discovered by Pedro Gabaldón Juliá, Javier Medina Munuera, Antonio José Gálvez Sánchez, Alejandro Baño Andrés, and Álvaro Piñero Laorden.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- CVE-2025-40698: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
- CVE-2025-40699: CVSS v4.0: 5.6 | CVSS AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-327
Solution
The vulnerabilities have been fixed by the Nedatec Consulting team in version 2.48 of the application's web portal, released on 18/11/2024.
Detail
- CVE-2025-40698: SQL injection vulnerability in Prevengos v2.44 by Nedatec Consulting. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a POST request using the parameters “mpsCentroin”, “mpsEmpresa”, “mpsProyecto”, and “mpsContrata” in “/servicios/autorizaciones.asmx/mfsRecuperarListado”.
- CVE-2025-40699: use of a broken or risky cryptographic algorithm vulnerability in Prevengos v2.44 from Nedatec Consulting. This vulnerability allows an attacker to obtain the password in plain text by reversing the custom cryptographic algorithm used to encrypt passwords in the database.
CVE
Explotación
No
References list
