CVE-2025-34220

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Vasion Print versions prior to 25.1.102 Vasion Print Application versions prior to 25.1.1413

Description The /api-gateway/identity/search-groups API endpoint does not require authentication. An unauthenticated remote attacker can enumerate every group object stored for a tenant by sending requests to https://.printercloud10.com/api-gateway/identity/search-groups and adjusting the Host header. The response includes internal identifiers such as group ID, source service ID, Azure AD object IDs, creation timestamps, and tenant IDs.

Recommendations Update Vasion Print to version 25.1.102 or later. Update Vasion Print Application to version 25.1.1413 or later.

Exploit

Fix

Missing Authentication

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306CWE-200

Related Identifiers

CVE-2025-34220

Affected Products

Vasion Print

Vasion Print Application

CVE-2025-34220

Weakness Enumeration

Related Identifiers

Affected Products

References · 9