Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-21092

Summary
Assigner-icscert
Assigner Org ID-7d14cffa-0d7d-4270-9dc0-52cabd5a23a6
Published At-04 Mar, 2025 | 23:49
Updated At-05 Mar, 2025 | 16:11
Rejected At-
Credits

GMOD Apollo Incorrect Privilege Assignment

GMOD Apollo does not have sufficient logical or access checks when updating a user's information. This could result in an attacker being able to escalate privileges for themselves or others.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:icscert
Assigner Org ID:7d14cffa-0d7d-4270-9dc0-52cabd5a23a6
Published At:04 Mar, 2025 | 23:49
Updated At:05 Mar, 2025 | 16:11
Rejected At:
▼CVE Numbering Authority (CNA)
GMOD Apollo Incorrect Privilege Assignment

GMOD Apollo does not have sufficient logical or access checks when updating a user's information. This could result in an attacker being able to escalate privileges for themselves or others.

Affected Products
Vendor
GMOD
Product
Apollo
Default Status
unaffected
Versions
Affected
  • From 0 before 2.8.0 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-266CWE-266 Incorrect Privilege Assignment
Type: CWE
CWE ID: CWE-266
Description: CWE-266 Incorrect Privilege Assignment
Metrics
VersionBase scoreBase severityVector
4.07.1HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Version: 4.0
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

GMOD recommends users to update to the newest Version 2.8.0 https://github.com/GMOD/Apollo .

Configurations
Workarounds
Exploits
Credits
finder
CISA reported these vulnerabilities to GMOD.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.cisa.gov/news-events/ics-advisories/icsa-25-063-07
N/A
Hyperlink: https://www.cisa.gov/news-events/ics-advisories/icsa-25-063-07
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:ics-cert@hq.dhs.gov
Published At:05 Mar, 2025 | 00:15
Updated At:05 Mar, 2025 | 00:15

GMOD Apollo does not have sufficient logical or access checks when updating a user's information. This could result in an attacker being able to escalate privileges for themselves or others.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.07.1HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Type: Secondary
Version: 4.0
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-266Primaryics-cert@hq.dhs.gov
CWE ID: CWE-266
Type: Primary
Source: ics-cert@hq.dhs.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.cisa.gov/news-events/ics-advisories/icsa-25-063-07ics-cert@hq.dhs.gov
N/A
Hyperlink: https://www.cisa.gov/news-events/ics-advisories/icsa-25-063-07
Source: ics-cert@hq.dhs.gov
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

5Records found
CVE-2022-3876
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.35%
||
7 Day CHG~0.00%
Published-19 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 12:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Click Studios Passwordstate API authorization

A vulnerability, which was classified as problematic, has been found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome. This issue affects some unknown processing of the file /api/browserextension/UpdatePassword/ of the component API. The manipulation of the argument PasswordID leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The identifier VDB-216245 was assigned to this vulnerability.

Action-Not Available
Vendor-clickstudiosClick Studios
Product-passwordstatePasswordstate Browser Extension ChromePasswordstate
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-6758
Matching Score-4
Assigner-CERT@VDE
ShareView Details
Matching Score-4
Assigner-CERT@VDE
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 27.30%
||
7 Day CHG~0.00%
Published-12 Aug, 2024 | 10:20
Updated-22 Aug, 2025 | 09:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Privilege Management vulnerability in Sprecher Automation SPRECON-E

Improper Privilege Management in Sprecher Automation SPRECON-E below version 8.71j allows a remote attacker with low privileges to save unauthorized protection assignments.

Action-Not Available
Vendor-sprecher-automationSprecher Automation
Product-sprecon-e-p_ds6-0_firmwaresprecon-e-p_dq6-1_firmwaresprecon-e_ap-2200_firmwaresprecon-e_cp-2500_firmwaresprecon-e-t3_firmwaresprecon-e-p_dq6-1sprecon-e-p_dd6-2_firmwaresprecon-e-p_dl6-1_firmwaresprecon-edirsprecon-edir_firmwaresprecon-e-p_ds6-0sprecon-e-p_dl6-1sprecon-e_cp-2500sprecon-e_ap-2200sprecon-e_cp-2330_firmwaresprecon-e-csprecon-e_cp-2330sprecon-e-c_firmwaresprecon-e_cp-2131sprecon-e_cp-2131_firmwaresprecon-e-t3sprecon-e-t3_ax-3110_firmwaresprecon-e-t3_ax-3110sprecon-e-p_dd6-2SPRECON-E
CWE ID-CWE-266
Incorrect Privilege Assignment
CVE-2020-26182
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-6.8||MEDIUM
EPSS-0.13% / 33.49%
||
7 Day CHG~0.00%
Published-16 Oct, 2020 | 18:10
Updated-16 Sep, 2024 | 20:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell EMC NetWorker versions prior to 19.3.0.2 contain an incorrect privilege assignment vulnerability. A non-LDAP remote user with low privileges may exploit this vulnerability to perform 'saveset' related operations in an unintended manner. The vulnerability is not exploitable by users authenticated via LDAP.

Action-Not Available
Vendor-Dell Inc.
Product-emc_networkerNetWorker
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-552
Files or Directories Accessible to External Parties
CVE-2023-2816
Matching Score-4
Assigner-HashiCorp Inc.
ShareView Details
Matching Score-4
Assigner-HashiCorp Inc.
CVSS Score-8.7||HIGH
EPSS-0.13% / 32.86%
||
7 Day CHG~0.00%
Published-02 Jun, 2023 | 22:43
Updated-07 Oct, 2024 | 20:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Consul Envoy Extension Downsteam Proxy Configuration By Upstream Service Owner

Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.

Action-Not Available
Vendor-HashiCorp, Inc.
Product-consulConsulConsul Enterpriseconsul
CWE ID-CWE-266
Incorrect Privilege Assignment
CVE-2024-47653
Matching Score-4
Assigner-Indian Computer Emergency Response Team (CERT-In)
ShareView Details
Matching Score-4
Assigner-Indian Computer Emergency Response Team (CERT-In)
CVSS Score-7.1||HIGH
EPSS-0.10% / 28.35%
||
7 Day CHG~0.00%
Published-04 Oct, 2024 | 12:15
Updated-16 Oct, 2024 | 15:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization Vulnerability

This vulnerability exists in Shilpi Client Dashboard due to lack of authorization for modification and cancellation requests through certain API endpoints. An authenticated remote attacker could exploit this vulnerability by placing or cancelling requests through API request body leading to unauthorized modification of requests belonging to the other users.

Action-Not Available
Vendor-shilpisoftShilpi Computers
Product-client_dashboardClient Dashboard
CWE ID-CWE-266
Incorrect Privilege Assignment
Details not found