CVE-2025-59797

CVSS v3.1

5.8

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Profession Fit version 5.0.99 Build 44910

Description The software allows bypassing authorization controls through direct requests to specific API endpoints and URLs. Specifically, a direct request to the /api/challenges/{id} endpoint allows unauthorized access. Access is also possible via direct URL access to the eversports page, the user-management page, and the plane page. The vulnerable parameter is id.

Recommendations Restrict access to the /api/challenges/{id} endpoint. Restrict direct access to the eversports page. Restrict direct access to the user-management page. Restrict direct access to the plane page.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-425

Related Identifiers

CVE-2025-59797

Affected Products

Profession Fit

Eversports

CVE-2025-59797

Weakness Enumeration

Related Identifiers

Affected Products

References · 5