CVE-2025-40676

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Negotiator version 3.15.2

Description An Insecure Direct Object Reference (IDOR) exists in Negotiator. This allows an attacker to access or modify unauthorized resources by manipulating requests. The issue involves the userID parameter within the /api/v3/users/<userID> API endpoint, potentially leading to the exposure or alteration of sensitive data.

Recommendations Apply appropriate access controls to the /api/v3/users/<userID> API endpoint to prevent unauthorized access based on the userID parameter.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2025-40676

Affected Products

Negotiator

CVE-2025-40676

Weakness Enumeration

Related Identifiers

Affected Products

References · 5