CVE-2025-1542 - Vulnerability Details - OpenCVE

Improper permission control vulnerability in the OXARI ServiceDesk application could allow an attacker using a guest access or an unprivileged account to gain additional administrative permissions in the application.This issue affects OXARI ServiceDesk in versions before 2.0.324.0.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

No data.

No data.

No data.

References

Link	Providers
https://cert.pl/en/posts/2025/03/CVE-2025-1542/
https://www.oxari.com/en/product/oxari-servicedesk

History

Wed, 26 Mar 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 26 Mar 2025 11:15:00 +0000

Type	Values Removed	Values Added
Description		Improper permission control vulnerability in the OXARI ServiceDesk application could allow an attacker using a guest access or an unprivileged account to gain additional administrative permissions in the application.This issue affects OXARI ServiceDesk in versions before 2.0.324.0.
Title		Improper permission control in OXARI ServiceDesk
Weaknesses		CWE-863
References		https://cert.pl/en/posts/2025/03/CVE-2025-1542/ https://www.oxari.com/en/product/oxari-servicedesk
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published: 2025-03-26T11:07:08.665Z

Updated: 2025-03-26T17:34:30.246Z

Reserved: 2025-02-21T09:29:15.269Z

Link: CVE-2025-1542

Vulnrichment

Updated: 2025-03-26T17:33:13.782Z

NVD

Status : Received

Published: 2025-03-26T11:15:38.240

Modified: 2025-03-26T11:15:38.240

Link: CVE-2025-1542

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-1542", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2025-02-21T09:29:15.269Z", "datePublished": "2025-03-26T11:07:08.665Z", "dateUpdated": "2025-03-26T17:34:30.246Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OXARI ServiceDesk", "vendor": "Infonet Projekt SA", "versions": [{"lessThan": "2.0.324.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Robert Jaroszuk - Penetration Tester @ Lufthansa Systems Poland"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper permission control <span style=\"background-color: rgb(255, 255, 255);\">vulnerability</span> in the OXARI ServiceDesk <span style=\"background-color: rgb(255, 255, 255);\">application</span> could allow an attacker using a guest access or an unprivileged account to gain additional administrative permissions in the application.<p>This issue affects OXARI ServiceDesk in versions before 2.0.324.0.</p>"}], "value": "Improper permission control\u00a0vulnerability in the OXARI\u00a0ServiceDesk\u00a0application could allow an attacker\u00a0using a guest access or an unprivileged account to gain additional administrative permissions in the application.This issue affects OXARI\u00a0ServiceDesk in versions before 2.0.324.0."}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2025-03-26T11:07:08.665Z"}, "references": [{"url": "https://cert.pl/en/posts/2025/03/CVE-2025-1542/"}, {"url": "https://www.oxari.com/en/product/oxari-servicedesk"}], "source": {"discovery": "UNKNOWN"}, "title": "Improper permission control in OXARI ServiceDesk", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-26T17:32:36.051581Z", "id": "CVE-2025-1542", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-26T17:34:30.246Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1542", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-26T17:32:36.051581Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-26T17:33:13.782Z"}}], "cna": {"title": "Improper permission control in OXARI ServiceDesk", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Robert Jaroszuk - Penetration Tester @ Lufthansa Systems Poland"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Infonet Projekt SA", "product": "OXARI ServiceDesk", "versions": [{"status": "affected", "version": "0", "lessThan": "2.0.324.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cert.pl/en/posts/2025/03/CVE-2025-1542/"}, {"url": "https://www.oxari.com/en/product/oxari-servicedesk"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper permission control\u00a0vulnerability in the OXARI\u00a0ServiceDesk\u00a0application could allow an attacker\u00a0using a guest access or an unprivileged account to gain additional administrative permissions in the application.This issue affects OXARI\u00a0ServiceDesk in versions before 2.0.324.0.", "supportingMedia": [{"type": "text/html", "value": "Improper permission control <span style=\"background-color: rgb(255, 255, 255);\">vulnerability</span> in the OXARI ServiceDesk <span style=\"background-color: rgb(255, 255, 255);\">application</span> could allow an attacker using a guest access or an unprivileged account to gain additional administrative permissions in the application.<p>This issue affects OXARI ServiceDesk in versions before 2.0.324.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2025-03-26T11:07:08.665Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1542", "state": "PUBLISHED", "dateUpdated": "2025-03-26T17:34:30.246Z", "dateReserved": "2025-02-21T09:29:15.269Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2025-03-26T11:07:08.665Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper permission control\u00a0vulnerability in the OXARI\u00a0ServiceDesk\u00a0application could allow an attacker\u00a0using a guest access or an unprivileged account to gain additional administrative permissions in the application.This issue affects OXARI\u00a0ServiceDesk in versions before 2.0.324.0."}], "id": "CVE-2025-1542", "lastModified": "2025-03-26T11:15:38.240", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2025-03-26T11:15:38.240", "references": [{"source": "cvd@cert.pl", "url": "https://cert.pl/en/posts/2025/03/CVE-2025-1542/"}, {"source": "cvd@cert.pl", "url": "https://www.oxari.com/en/product/oxari-servicedesk"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "cvd@cert.pl", "type": "Primary"}]}