CVE-2025-66385

CVSS v4.0

9.4

Vector

AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions Cerebrate versions prior to 1.30

Description An authenticated, non-privileged user can escalate their privileges, such as obtaining an administrator role, in Cerebrate. This is achieved through the

user-edit

endpoint by modifying the

role id

organisation id

fields within an edit request to the

UsersController::edit

function. The

role id

and

organisation id

are vulnerable parameters.

Recommendations Update Cerebrate to version 1.30 or later.

Fix

LPE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-472

Related Identifiers

CVE-2025-66385

Affected Products

Cerebrate

CVE-2025-66385

Weakness Enumeration

Related Identifiers

Affected Products

References · 7