CVE-2025-27568

An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04

Configurations

No configuration.

History

16 Apr 2025, 13:25

Type	Values Removed	Values Added
Summary		(es) Un atacante no autenticado puede obtener los correos electrónicos de los usuarios conociendo sus nombres de usuario. Se enviará un correo electrónico de restablecimiento de contraseña en respuesta a esta solicitud no solicitada.

15 Apr 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-15 21:15

Updated : 2025-04-16 13:25

NVD link : CVE-2025-27568

Mitre link : CVE-2025-27568

CVE.ORG link : CVE-2025-27568

JSON object : View

Products Affected

No product.

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2025-27568", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-15T21:15:55.060", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04", "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request."}, {"lang": "es", "value": "Un atacante no autenticado puede obtener los correos electr\u00f3nicos de los usuarios conociendo sus nombres de usuario. Se enviar\u00e1 un correo electr\u00f3nico de restablecimiento de contrase\u00f1a en respuesta a esta solicitud no solicitada."}], "lastModified": "2025-04-16T13:25:59.640", "sourceIdentifier": "ics-cert@hq.dhs.gov"}