Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-58156

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-29 Aug, 2025 | 21:40
Updated At-29 Aug, 2025 | 21:40
Rejected At-
Credits

Centurion ERP users can view hashed authentication tokens that belong to other users

Centurion ERP is an ERP with a focus on ITSM and automation. In versions starting from 1.12.0 to before 1.21.0, an authenticated user can view all authentication token details within the database. This includes the actual token, although only the hashed token. This does not include any un-hashed authentication token as viewable. This issue has been patched in version 1.21.0. A workaround for this is not deemed viable as it would involve disabling token authentication. Users are encouraged to remove any authentication token that was created by one of the effected versions of Centurion ERP. Webmasters can ensure this occurs by removing all authentication tokens from the database.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:29 Aug, 2025 | 21:40
Updated At:29 Aug, 2025 | 21:40
Rejected At:
▼CVE Numbering Authority (CNA)
Centurion ERP users can view hashed authentication tokens that belong to other users

Centurion ERP is an ERP with a focus on ITSM and automation. In versions starting from 1.12.0 to before 1.21.0, an authenticated user can view all authentication token details within the database. This includes the actual token, although only the hashed token. This does not include any un-hashed authentication token as viewable. This issue has been patched in version 1.21.0. A workaround for this is not deemed viable as it would involve disabling token authentication. Users are encouraged to remove any authentication token that was created by one of the effected versions of Centurion ERP. Webmasters can ensure this occurs by removing all authentication tokens from the database.

Affected Products
Vendor
nofusscomputing
Product
centurion_erp
Versions
Affected
  • >= 1.12.0, < 1.21.0
Problem Types
TypeCWE IDDescription
CWECWE-285CWE-285: Improper Authorization
Type: CWE
CWE ID: CWE-285
Description: CWE-285: Improper Authorization
Metrics
VersionBase scoreBase severityVector
3.11.9LOW
CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 1.9
Base severity: LOW
Vector:
CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-x75j-cm35-5qcg
x_refsource_CONFIRM
https://github.com/nofusscomputing/centurion_erp/pull/974
x_refsource_MISC
https://github.com/nofusscomputing/centurion_erp/commit/332eb1075ad828e5c4c24caeaf5605259eb7ce34
x_refsource_MISC
Hyperlink: https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-x75j-cm35-5qcg
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/nofusscomputing/centurion_erp/pull/974
Resource:
x_refsource_MISC
Hyperlink: https://github.com/nofusscomputing/centurion_erp/commit/332eb1075ad828e5c4c24caeaf5605259eb7ce34
Resource:
x_refsource_MISC
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:29 Aug, 2025 | 22:15
Updated At:29 Aug, 2025 | 22:15

Centurion ERP is an ERP with a focus on ITSM and automation. In versions starting from 1.12.0 to before 1.21.0, an authenticated user can view all authentication token details within the database. This includes the actual token, although only the hashed token. This does not include any un-hashed authentication token as viewable. This issue has been patched in version 1.21.0. A workaround for this is not deemed viable as it would involve disabling token authentication. Users are encouraged to remove any authentication token that was created by one of the effected versions of Centurion ERP. Webmasters can ensure this occurs by removing all authentication tokens from the database.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.11.9LOW
CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 1.9
Base severity: LOW
Vector:
CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-285Primarysecurity-advisories@github.com
CWE ID: CWE-285
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/nofusscomputing/centurion_erp/commit/332eb1075ad828e5c4c24caeaf5605259eb7ce34security-advisories@github.com
N/A
https://github.com/nofusscomputing/centurion_erp/pull/974security-advisories@github.com
N/A
https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-x75j-cm35-5qcgsecurity-advisories@github.com
N/A
Hyperlink: https://github.com/nofusscomputing/centurion_erp/commit/332eb1075ad828e5c4c24caeaf5605259eb7ce34
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/nofusscomputing/centurion_erp/pull/974
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-x75j-cm35-5qcg
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2024-53855
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-1.9||LOW
EPSS-0.03% / 7.86%
||
7 Day CHG~0.00%
Published-27 Nov, 2024 | 18:27
Updated-27 Nov, 2024 | 19:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User can view tickets from organizations they're not apart of in centurion_erp

Centurion ERP (Enterprise Rescource Planning) is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management (ITSM) modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they are not apart of. Users with following permissions are applicable: 1. `view_ticket_change` permission can view change tickets from organizations they are not apart of. 2. `view_ticket_incident` permission can view incident tickets from organizations they are not apart of. 3. `view_ticket_request` permission can view request tickets from organizations they are not apart of. 4. `view_ticket_problem` permission can view problem tickets from organizations they are not apart of. The access to view the tickets from different organizations is only applicable when browsing the API endpoints for the tickets in question. The Centurion UI is not affected. Project Tasks, although a "ticket type" are also **Not** affected. This issue has been addressed in release version 1.3.1 and users are advised to upgrade. Users unable to upgrade may remove the ticket view permissions from users which would alleviate this vulnerability, if this is deemed not-viable, Upgrading is recommended.

Action-Not Available
Vendor-nofusscomputing
Product-centurion_erp
CWE ID-CWE-653
Improper Isolation or Compartmentalization
CVE-2022-36857
Matching Score-4
Assigner-Samsung Mobile
ShareView Details
Matching Score-4
Assigner-Samsung Mobile
CVSS Score-1.9||LOW
EPSS-0.09% / 27.12%
||
7 Day CHG~0.00%
Published-09 Sep, 2022 | 14:40
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Authorization vulnerability in Photo Editor prior to SMR Sep-2022 Release 1 allows physical attackers to read internal application data.

Action-Not Available
Vendor-Google LLCSamsungSamsung Electronics
Product-androidphoto_editorSamsung Mobile Devices
CWE ID-CWE-285
Improper Authorization
CVE-2022-36852
Matching Score-4
Assigner-Samsung Mobile
ShareView Details
Matching Score-4
Assigner-Samsung Mobile
CVSS Score-1.9||LOW
EPSS-0.03% / 8.22%
||
7 Day CHG~0.00%
Published-09 Sep, 2022 | 14:40
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Authorization vulnerability in Video Editor prior to SMR Sep-2022 Release 1 allows local attacker to access internal application data.

Action-Not Available
Vendor-Google LLCSamsung Electronics
Product-androidSamsung Mobile Devices
CWE ID-CWE-285
Improper Authorization
Details not found