CVE-2025-42602

This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating the responses through API request body leading to unauthorized access of other user accounts.

CVSS

No CVSS.

References

Link	Resource
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2025-0082

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Esta vulnerabilidad existe en las soluciones Meon KYC debido a la gestión incorrecta de los tokens de acceso y actualización en ciertos endpoints de la API del proceso de autenticación. Un atacante remoto podría explotar esta vulnerabilidad interceptando y manipulando las respuestas a través del cuerpo de la solicitud de la API, lo que conlleva el acceso no autorizado a otras cuentas de usuario.

23 Apr 2025, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-23 11:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-42602

Mitre link : CVE-2025-42602

CVE.ORG link : CVE-2025-42602

JSON object : View

Products Affected

No product.

CWE

CWE-384

Session Fixation

CWE-613

Insufficient Session Expiration

{"id": "CVE-2025-42602", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "vdisclose@cert-in.org.in", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-23T11:15:46.933", "references": [{"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2025-0082", "source": "vdisclose@cert-in.org.in"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "vdisclose@cert-in.org.in", "description": [{"lang": "en", "value": "CWE-384"}, {"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating the responses through API request body leading to unauthorized access of other user accounts."}, {"lang": "es", "value": "Esta vulnerabilidad existe en las soluciones Meon KYC debido a la gesti\u00f3n incorrecta de los tokens de acceso y actualizaci\u00f3n en ciertos endpoints de la API del proceso de autenticaci\u00f3n. Un atacante remoto podr\u00eda explotar esta vulnerabilidad interceptando y manipulando las respuestas a trav\u00e9s del cuerpo de la solicitud de la API, lo que conlleva el acceso no autorizado a otras cuentas de usuario."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "vdisclose@cert-in.org.in"}