Multiple vulnerabilities in Stel Order
Posted date 14/05/2026
Identificador
INCIBE-2026-351
Importance
4 - High
Affected Resources
Stel Order platform, versions 3.25.1 and earlier.
Description
INCIBE has coordinated the disclosure of two high- and medium-severity vulnerabilities affecting the Stel Order platform, a comprehensive cloud-based management software. The vulnerabilities were discovered by Manuel Gomez Argandoña and David Padilla Alvarado, respectively.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:
- CVE-2026-5798: CVSS v4.0 7.1 | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-639
- CVE-2026-5790: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution
There is no solution reported at this time.
Detail
- CVE-2026-5798: unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulnerability to access information about any employee (first names, last names, roles, job titles, and vacation records, among others) by modifying that identifier in requests sent to the server.
- CVE-2026-5790: stored Cross-Site Scripting (XSS) in Stel Order v3.25.1 and earlier, located at the ‘/app/FrontController’ endpoint via the ‘legalName’ and ‘employeeID’ parameters. The lack of proper input sanitization allows an attacker to inject malicious code that is persistently stored in the database. When other users or administrators access the affected sections, the code executes in their browsers, enabling the theft of session cookies and account hijacking.
CVE
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2026-5790 | Media | No | Stel Order |
| CVE-2026-5798 | Alta | No | Stel Order |
References list
Etiquetas
