CVE-2025-7695

Name of the Vulnerable Software and Affected Versions Dataverse Integration versions 2.77 through 2.81

Description The plugin is susceptible to privilege escalation due to missing authorization checks within the reset password link REST endpoint. The endpoint’s handler unconditionally calls get password reset key() after verifying only that the caller is authenticated, allowing any authenticated attacker with Subscriber-level access or higher to obtain a password reset link for an administrator and potentially hijack the account. The vulnerable endpoint is /reset password link. The vulnerable parameters include id, email, and login.

Recommendations Dataverse Integration versions 2.77 through 2.81: Update to a version beyond 2.81, if available. As a temporary workaround, restrict access to the reset password link endpoint to authorized personnel only.