CVE-2025-1270

Insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the “pkrelated” parameter in the “/h6web/ha_datos_hermano.php” endpoint to refer to another user. In addition, the first request could also allow the attacker to impersonate other users. As a result, all requests made after exploitation of the IDOR vulnerability will be executed with the privileges of the impersonated user.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 5.3

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-anapi-group-h6web	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:anapi:h6web:-:*:*:*:*:*:*:*

History

29 Jan 2026, 19:27

Type	Values Removed	Values Added
Summary		(es) La vulnerabilidad de referencia directa a objetos insegura (IDOR) en h6web de Anapi Group permite a un atacante autenticado acceder a la información de otros usuarios mediante una solicitud POST y modificando el parámetro “pkrelated” en el endpoint “/h6web/ha_datos_hermano.php” para hacer referencia a otro usuario. Además, la primera solicitud también podría permitir al atacante hacerse pasar por otros usuarios. Como resultado, todas las solicitudes realizadas después de la explotación de la vulnerabilidad IDOR se ejecutarán con los privilegios del usuario suplantado.
First Time		Anapi h6web Anapi
References	~~() https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-anapi-group-h6web -~~	() https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-anapi-group-h6web - Third Party Advisory
CPE		cpe:2.3:a:anapi:h6web:-:::::::*

13 Feb 2025, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-13 13:15

Updated : 2026-01-29 19:27

NVD link : CVE-2025-1270

Mitre link : CVE-2025-1270

CVE.ORG link : CVE-2025-1270

JSON object : View

Products Affected

anapi

h6web

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2025-1270", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.3, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2025-02-13T13:15:09.273", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-anapi-group-h6web", "tags": ["Third Party Advisory"], "source": "cve-coordination@incibe.es"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "Insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the \u201cpkrelated\u201d parameter in the \u201c/h6web/ha_datos_hermano.php\u201d endpoint to refer to another user. In addition, the first request could also allow the attacker to impersonate other users. As a result, all requests made after exploitation of the IDOR vulnerability will be executed with the privileges of the impersonated user."}, {"lang": "es", "value": "La vulnerabilidad de referencia directa a objetos insegura (IDOR) en h6web de Anapi Group permite a un atacante autenticado acceder a la informaci\u00f3n de otros usuarios mediante una solicitud POST y modificando el par\u00e1metro \u201cpkrelated\u201d en el endpoint \u201c/h6web/ha_datos_hermano.php\u201d para hacer referencia a otro usuario. Adem\u00e1s, la primera solicitud tambi\u00e9n podr\u00eda permitir al atacante hacerse pasar por otros usuarios. Como resultado, todas las solicitudes realizadas despu\u00e9s de la explotaci\u00f3n de la vulnerabilidad IDOR se ejecutar\u00e1n con los privilegios del usuario suplantado."}], "lastModified": "2026-01-29T19:27:51.417", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:anapi:h6web:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "50A1F49F-CA64-4AA2-BC41-C7F097F37BA2"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@incibe.es"}