Multiple vulnerabilities in ViDay

Posted date 02/10/2025
Identificador
INCIBE-2025-0534
Importance
4 - High
Affected Resources

ViDay.

Description

INCIBE has coordinated the publication of two vulnerabilities, one high severity and one medium severity, affecting ViDay, a booking app. The vulnerabilities were discovered by Carolina Gómez Uriarte and Gema de la Fuente Romero.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2025-40645: 8.7 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-200
  • CVE-2025-40646: 5.9 | CVSS AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-200
Solution

No solution has been reported at this time.

Detail
  • CVE-2025-40645: exposure of sensitive information in Viday. This vulnerability could allow an unauthenticated attacker to obtain sensitive information about customers by sending an HTTP GET request to “/api/reserva/web/clients” using the “phone” parameter.
  • CVE-2025-40646: exposure of sensitive information in Viday. This vulnerability could allow an attacker to obtain sensitive information about customers by intercepting HTTP requests and searching for the JWT containing sensitive user information in the JWT payload.
CVE
Explotación
No
Nuevo Fabricante
ViDay
Identificador CVE
CVE-2025-40645
Severidad
Alta
Explotación
No
Nuevo Fabricante
ViDay
Identificador CVE
CVE-2025-40646
Severidad
Media