CVE-2025-66385

CVSS v4.0

9.4

Critical

Vector

AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Name of the Vulnerable Software and Affected Versions Cerebrate versions prior to 1.30

Description The UsersController::edit function in Cerebrate allows an authenticated, non-privileged user to escalate their privileges, potentially obtaining a higher role such as administrator. This is achieved through the user-edit API endpoint by modifying the role id or organisation id parameters within the edit request. The role id and organisation id are vulnerable parameters.

Recommendations Versions prior to 1.30 should be updated. As a temporary workaround, restrict access to the user-edit API endpoint. Consider disabling the UsersController::edit function until a patch is available.

Fix

LPE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-472

Related Identifiers

CVE-2025-66385

Affected Products

Cerebrate

CVE-2025-66385

Weakness Enumeration

Related Identifiers

Affected Products

References · 11