c4m0uflag3/CVE-2025-67274.txt

## CVE-2025-67274.txt
CVE ID:
CVE-2025-67274

Vendor:
Continuous Software

Product:
aangine

Product URL:
https://aangine.com/

Affected Version:
2025.2

Vulnerability Type:
Broken Access Control (BOLA - Broken Object Level Authorization)

Description:
A Broken Access Control vulnerability in the aangine application's API layer allows low-privileged authenticated users to access multiple admin-restricted API endpoints and retrieve sensitive data. The affected APIs fail to properly validate user roles or scope claims within the JWT token, enabling unauthorized access to administrative resources.

Affected Components:
Multiple admin-restricted backend API endpoints responsible for administrative operations, including template management, integration job listings, logging and monitoring functions, and portfolio or project-related data retrieval.

Attack Vector:
A low-privileged authenticated user can directly send HTTP requests to admin-restricted API endpoints without accessing the administrative interface. Due to missing authorization checks at the API layer, role and scope validations are bypassed, resulting in unauthorized access to sensitive administrative data.

Impact:
Unauthorized disclosure of sensitive administrative information, including internal configuration data, integration job details, logs, and portfolio or project-related records.

Remediation:
The vendor has acknowledged the issue and implemented backend-side authorization controls. The vulnerability has been fixed in the current release following remediation efforts and verification testing.

References:
- CVE-2025-67274

Credits:
Taha YILDIRIM
	CVE ID:
	CVE-2025-67274

	Vendor:
	Continuous Software

	Product:
	aangine

	Product URL:
	https://aangine.com/

	Affected Version:
	2025.2

	Vulnerability Type:
	Broken Access Control (BOLA - Broken Object Level Authorization)

	Description:
	A Broken Access Control vulnerability in the aangine application's API layer allows low-privileged authenticated users to access multiple admin-restricted API endpoints and retrieve sensitive data. The affected APIs fail to properly validate user roles or scope claims within the JWT token, enabling unauthorized access to administrative resources.

	Affected Components:
	Multiple admin-restricted backend API endpoints responsible for administrative operations, including template management, integration job listings, logging and monitoring functions, and portfolio or project-related data retrieval.

	Attack Vector:
	A low-privileged authenticated user can directly send HTTP requests to admin-restricted API endpoints without accessing the administrative interface. Due to missing authorization checks at the API layer, role and scope validations are bypassed, resulting in unauthorized access to sensitive administrative data.

	Impact:
	Unauthorized disclosure of sensitive administrative information, including internal configuration data, integration job details, logs, and portfolio or project-related records.

	Remediation:
	The vendor has acknowledged the issue and implemented backend-side authorization controls. The vulnerability has been fixed in the current release following remediation efforts and verification testing.

	References:
	- CVE-2025-67274

	Credits:
	Taha YILDIRIM
No results found