Multiple vulnerabilities in Anapi Group h6web
Posted date 13/02/2025
Identificador
INCIBE-2025-0083
Importance
5 - Critical
Affected Resources
- h6web application.
Description
INCIBE has coordinated the publication of 2 vulnerabilities: one of critical severity and the other of medium severity, affecting h6web of Grupo Anapi, an application for managing guilds and online payments, which have been discovered by Bertrand Lorente Yáñez.
These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- CVE-2025-1270: CVSS v3.1: 9.1 | CVSS AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L | CWE-639
- CVE-2025-1271: CVSS v3.1: 6.1 | CVSS AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79
Solution
The Anapi Group team has taken the following actions:
- the Insecure Direct Object Reference vulnerability has been completely disabled;
- the Cross-Site Scripting (XSS) vulnerability has been fixed in the latest version.
Detail
- CVE-2025-1270: the insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the “pkrelated” parameter in the “/h6web/ha_datos_hermano.php” endpoint to refer to another user. In addition, the first request could also allow the attacker to impersonate other users. As a result, all requests made after exploitation of the IDOR vulnerability will be executed with the privileges of the impersonated user.
- CVE-2025-1271: Reflected Cross-Site Scripting (XSS) in Anapi Group's h6web. This security flaw could allow an attacker to inject malicious JavaScript code into a URL. When a user accesses that URL, the injected code is executed in their browser, which can result in the theft of sensitive information, identity theft or the execution of unauthorised actions on behalf of the affected user.
References list
