PT-2025-33825 · Bevy · Events/Groups
Ali Alhassoun
·
Publicado
2025-08-19
·
Atualizado
2025-09-07
·
CVE-2025-54599
CVSS v3.1
7.5
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
The Bevy Event service versions through 2025-07-22
Description
The Bevy Event service, used for eBay Seller Events and other activities, is susceptible to account takeover when Single Sign-On (SSO) is enabled and a victim modifies their configured email address. An attacker can create a new account and perform an SSO login to exploit this issue. The root cause is an SSO misconfiguration.
Recommendations
Versions through 2025-07-22: Review and correct the SSO configuration to prevent account takeover when email addresses are changed.
Exploit
Correção
Improper Access Control
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Events/Groups