CVE-2025-45968

System PDV · System PDV

System PDV version 1.0 contains an Insecure Direct Object Reference (IDOR) vulnerability, allowing remote attackers to access sensitive information via the hash parameter in a URL.

Executive summary

A critical IDOR vulnerability in System PDV version 1.0 allows unauthenticated remote attackers to access unauthorized sensitive information by manipulating URL parameters.

Vulnerability

The application utilizes an insecure direct object reference (IDOR) mechanism where the hash parameter in the URL is not properly validated against the user's session or permissions. An unauthenticated remote attacker can manipulate this parameter to access sensitive data belonging to other objects or users.

Business impact

The CVSS score of 9.8 highlights the severity of this information disclosure flaw. By simply modifying a URL parameter, an attacker can bypass access controls to exfiltrate sensitive business data or user records, potentially leading to significant regulatory non-compliance and loss of customer trust.

Remediation

Immediate Action: Upgrade to the latest version of System PDV immediately to ensure proper authorization checks are enforced on all object references.

Proactive Monitoring: Monitor application traffic for excessive or suspicious requests containing varying hash parameters, which may indicate data scraping or enumeration attacks.

Compensating Controls: Implement strict object-level access control (OLAC) at the application layer to verify that the requester is authorized to view the requested resource associated with the hash.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

IDOR vulnerabilities are frequently exploited due to their simplicity and lack of required specialized tools. Organizations must treat this as a high-priority risk and move quickly to update the System PDV software to enforce proper server-side authorization controls.