Unprotected access to parts of the application in Epsilon RH by Grupo Castilla
Epsilon RH, versions prior to 3.03.36.0186.
INCIBE has coordinated the publication of a medium severity vulnerability affecting Epsilon RH by Grupo Castilla, programme to digitise and automate all processes in the human resources management department. The vulnerability was discovered by Oscar Atienza.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:
- CVE-2025-12461: CVSS v4.0: 6.9 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-522.
The vulnerability has been fixed by Grupo Castilla team in version 3.03.36.0186.
CVE-2025-12461: This vulnerability allows an attacker to access parts of the application that are not protected by any type of access control. The attacker could access this path ‘…/epsilonnet/License/About.aspx’ and obtain information on both the licence and the configuration of the product by knowing which modules are installed.
