Insecure Direct Object Reference on Deporsite by T-INNOVA
Deporsite Module, v05.29.0907.
INCIBE has coordinated the publication of 2 high severity vulnerabilities that affect the specific module in charge of document signature management Deporsite, of T-INNOVA, which have been discovered by Carlos Alonso Arranz.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and the type of vulnerability CWE of each vulnerability:
- CVE-2025-3574 y CVE-2025-3575: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. | CWE-639
The vulnerabilities have been fixed by the T-INNOVA team in release 2024.02 (DSuite2024 v06.1287 fix2).
T-Innova has identified the customers using the affected module, and has applied the corresponding patch.
Insecure Direct Object Reference (IDOR) vulnerabilities in T-INNOVA's DocumentSignatureManager module could allow an attacker to obtain sensitive information from other users via parameters:
- CVE-2025-3574: "idUsuario" in the endpoint "/helper/Familia/obtenerFamiliaUsuario".
- CVE-2025-3575: "idUsuario" in the endpoint "/helper/Familia/establecerUsuarioSeleccion".
