Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-58156

Severity CVSS v4.0:
Pending analysis
Type:
CWE-285 Improper Authorization
Publication date:
29/08/2025
Last modified:
24/09/2025

Description

Centurion ERP is an ERP with a focus on ITSM and automation. In versions starting from 1.12.0 to before 1.21.0, an authenticated user can view all authentication token details within the database. This includes the actual token, although only the hashed token. This does not include any un-hashed authentication token as viewable. This issue has been patched in version 1.21.0. A workaround for this is not deemed viable as it would involve disabling token authentication. Users are encouraged to remove any authentication token that was created by one of the effected versions of Centurion ERP. Webmasters can ensure this occurs by removing all authentication tokens from the database.

Impact

Vector 3.x
CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 1.90 LOW
Vector: CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Attack Vector (AV): Physical
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): None
Availability (A): None

Base Score 3.x
1.90
Severity 3.x
LOW

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:nofusscomputing:centurion_erp:*:*:*:*:*:*:*:* 1.12.0 (including) 1.21.0 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools