PT-2025-33825 · Bevy · Events/Groups
Ali Alhassoun
·
Published
2025-08-19
·
Updated
2025-09-07
·
CVE-2025-54599
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
The Bevy Event service versions through 2025-07-22
Description
The Bevy Event service, used for eBay Seller Events and other activities, is susceptible to account takeover when Single Sign-On (SSO) is enabled and a victim modifies their configured email address. An attacker can create a new account and perform an SSO login to exploit this issue. The root cause is an SSO misconfiguration.
Recommendations
Versions through 2025-07-22: Review and correct the SSO configuration to prevent account takeover when email addresses are changed.
Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Events/Groups