PT-2025-43674 · Unknown · Gn4 Publishing System
Published
2025-10-24
·
Updated
2025-10-25
·
CVE-2025-34293
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
GN4 Publishing System versions prior to 2.6
Description
GN4 Publishing System contains an insecure direct object reference (IDOR) vulnerability via the API. Authenticated requests to the API’s object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users. This data includes the stored password and the account’s security question and answer. The exposed recovery data and encrypted password may be used to reset or take over the target account. The API endpoints are vulnerable to unauthorized access through manipulation of user IDs. The vulnerable parameter is
user id.Recommendations
Update GN4 Publishing System to version 2.6 or later.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gn4 Publishing System