CVE-2025-10014

Name of the Vulnerable Software and Affected Versions elunez eladmin versions up to 2.7

Description A flaw exists in elunez eladmin that impacts the updateUserEmail function within the Email Address Handler component. Manipulation of the id/email argument in the /api/users/updateEmail/ API endpoint can lead to improper authorization. The attack may be performed remotely and is considered highly complex with difficult exploitability. The exploit has been published and requires knowledge of the RSA-encrypted password of the attacked user account.

Recommendations For versions up to 2.7, address the improper authorization issue by validating the id/email argument in the updateUserEmail function of the Email Address Handler component. Restrict access to the /api/users/updateEmail/ API endpoint until a resolution is implemented.