Insecure Direct Object References (IDOR) in DeporSite of T-Innova DeporSite
DeporSite versions prior to v02.14.1115.
INCIBE has coordinated the publication of a medium-severity vulnerability affecting DeporSite by T-Innova, a software for managing sports centers. The vulnerability was discovered by Pau Valls Peleteiro.
This vulnerability has been assigned the following code, CVSS v4.0, base score, CVSS vector and CWE vulnerability type:
- CVE-2025-41069: CVSS v4.0: 5.3 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. | CWE-639.
The manufacturer T-INNOVA assures that the vulnerability is not present in version DSuite 2025 v02.14.1115.
CVE-2025-41069: Insecure Direct Object Reference (IDOR) vulnerability in DeporSite of T-INNOVA. This vulnerability allows an attacker to access or modify unauthorized resources by manipulating requests using the 'idUsuario' parameter in ‘/ajax/TInnova_v2/Formulario_Consentimiento/llamadaAjax/obtenerDatosConsentimientos’, which could lead to the exposure or alteration os confidential data.
