CVE-2025-0739 - Vulnerability Details - OpenCVE

An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to show subscription's information of others users by changing the "SUSCBRIPTION_ID" param of the endpoint "/demos/embedai/subscriptions/show/<SUSCBRIPTION_ID>".

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Thesamur	Embedai

Configuration 1 [-]

cpe:2.3:a:thesamur:embedai:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai

History

Fri, 10 Oct 2025 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Thesamur Thesamur embedai
CPEs		cpe:2.3:a:thesamur:embedai::::::::
Vendors & Products		Thesamur Thesamur embedai

Thu, 30 Jan 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 30 Jan 2025 11:15:00 +0000

Type	Values Removed	Values Added
Description		An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to show subscription's information of others users by changing the "SUSCBRIPTION_ID" param of the endpoint "/demos/embedai/subscriptions/show/<SUSCBRIPTION_ID>".
Title		Improper Access Control vulnerability in EmbedAI
Weaknesses		CWE-284
References		https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2025-01-30T11:10:48.173Z

Updated: 2025-01-30T14:59:17.678Z

Reserved: 2025-01-27T12:21:45.376Z

Link: CVE-2025-0739

Vulnrichment

Updated: 2025-01-30T14:59:03.100Z

NVD

Status : Analyzed

Published: 2025-01-30T11:15:11.607

Modified: 2025-10-10T16:41:46.343

Link: CVE-2025-0739

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-0739", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2025-01-27T12:21:45.376Z", "datePublished": "2025-01-30T11:10:48.173Z", "dateUpdated": "2025-01-30T14:59:17.678Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "EmbedAI", "vendor": "EmbedAI", "versions": [{"lessThan": "2.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)"}], "datePublic": "2025-01-30T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to show subscription's information of others users by changing the \"SUSCBRIPTION_ID\" param of the endpoint \"/demos/embedai/subscriptions/show/<SUSCBRIPTION_ID>\"."}], "value": "An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to show subscription's information of others users by changing the \"SUSCBRIPTION_ID\" param of the endpoint \"/demos/embedai/subscriptions/show/<SUSCBRIPTION_ID>\"."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2025-01-30T11:12:58.347Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The vulnerability has been resolved by EmbedAI team in version 2.1."}], "value": "The vulnerability has been resolved by EmbedAI team in version 2.1."}], "source": {"discovery": "EXTERNAL"}, "title": "Improper Access Control vulnerability in EmbedAI", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-30T14:59:09.159077Z", "id": "CVE-2025-0739", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-30T14:59:17.678Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0739", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-30T14:59:09.159077Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-30T14:59:03.100Z"}}], "cna": {"title": "Improper Access Control vulnerability in EmbedAI", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "EmbedAI", "product": "EmbedAI", "versions": [{"status": "affected", "version": "0", "lessThan": "2.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The vulnerability has been resolved by EmbedAI team in version 2.1.", "supportingMedia": [{"type": "text/html", "value": "The vulnerability has been resolved by EmbedAI team in version 2.1.", "base64": false}]}], "datePublic": "2025-01-30T11:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to show subscription's information of others users by changing the \"SUSCBRIPTION_ID\" param of the endpoint \"/demos/embedai/subscriptions/show/<SUSCBRIPTION_ID>\".", "supportingMedia": [{"type": "text/html", "value": "An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to show subscription's information of others users by changing the \"SUSCBRIPTION_ID\" param of the endpoint \"/demos/embedai/subscriptions/show/<SUSCBRIPTION_ID>\".", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2025-01-30T11:12:58.347Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0739", "state": "PUBLISHED", "dateUpdated": "2025-01-30T14:59:17.678Z", "dateReserved": "2025-01-27T12:21:45.376Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2025-01-30T11:10:48.173Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thesamur:embedai:*:*:*:*:*:*:*:*", "matchCriteriaId": "A81F2612-1390-41C8-99A6-710A2EBB498A", "versionEndExcluding": "2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to show subscription's information of others users by changing the \"SUSCBRIPTION_ID\" param of the endpoint \"/demos/embedai/subscriptions/show/<SUSCBRIPTION_ID>\"."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de control de acceso inadecuado en EmbedAI 2.1 y versiones anteriores. Esta vulnerabilidad permite a un atacante autenticado mostrar informaci\u00f3n de suscripci\u00f3n de otros usuarios modificando el par\u00e1metro \"SUSCBRIPTION_ID\" de el endpoint \"/demos/embedai/subscriptions/show/\"."}], "id": "CVE-2025-0739", "lastModified": "2025-10-10T16:41:46.343", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-01-30T11:15:11.607", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}