CVE-2025-46826

insa-auth is an authentication server for INSA Rouen. A minor issue allowed third-party websites to access the server's secondary authentication bridge, potentially revealing basic student information (name and number). However, the issue posed minimal risk, was never exploited, and had limited impact. A fix was implemented promptly on May 3, 2025.

CVSS

No CVSS.

References

Link	Resource
https://github.com/INSAgenda/insa-auth/commit/8c1e68b2fb55aa952f522ead55a6587526982a2c
https://github.com/INSAgenda/insa-auth/commit/b0e7508e6ca4360e39fb1fd931f8d47b1f992ced
https://github.com/INSAgenda/insa-auth/commit/c77cf2e25778f83ebf5c4fdb4ded3ffcc8cfd74d
https://github.com/INSAgenda/insa-auth/security/advisories/GHSA-63xr-gvjv-r6xv

Configurations

No configuration.

History

08 May 2025, 14:39

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-07 22:15

Updated : 2025-05-08 14:39

NVD link : CVE-2025-46826

Mitre link : CVE-2025-46826

CVE.ORG link : CVE-2025-46826

JSON object : View

Products Affected

No product.

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

{"id": "CVE-2025-46826", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 1.3, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:D/RE:L/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-07T22:15:21.320", "references": [{"url": "https://github.com/INSAgenda/insa-auth/commit/8c1e68b2fb55aa952f522ead55a6587526982a2c", "source": "security-advisories@github.com"}, {"url": "https://github.com/INSAgenda/insa-auth/commit/b0e7508e6ca4360e39fb1fd931f8d47b1f992ced", "source": "security-advisories@github.com"}, {"url": "https://github.com/INSAgenda/insa-auth/commit/c77cf2e25778f83ebf5c4fdb4ded3ffcc8cfd74d", "source": "security-advisories@github.com"}, {"url": "https://github.com/INSAgenda/insa-auth/security/advisories/GHSA-63xr-gvjv-r6xv", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "insa-auth is an authentication server for INSA Rouen. A minor issue allowed third-party websites to access the server's secondary authentication bridge, potentially revealing basic student information (name and number). However, the issue posed minimal risk, was never exploited, and had limited impact. A fix was implemented promptly on May 3, 2025."}, {"lang": "es", "value": "insa-auth es un servidor de autenticaci\u00f3n para INSA Rouen. Un peque\u00f1o problema permiti\u00f3 que sitios web de terceros accedieran al puente de autenticaci\u00f3n secundario del servidor, lo que podr\u00eda revelar informaci\u00f3n b\u00e1sica del estudiante (nombre y n\u00famero). Sin embargo, el problema represent\u00f3 un riesgo m\u00ednimo, nunca fue explotado y tuvo un impacto limitado. Se implement\u00f3 una soluci\u00f3n r\u00e1pidamente el 3 de mayo de 2025."}], "lastModified": "2025-05-08T14:39:09.683", "sourceIdentifier": "security-advisories@github.com"}