CRITICAL🇵🇱 Wersja polska

CVE-2025-0987

CVSS 9.9v3.1pub. 2025-11-03upd. 2026-06-06

Authorization Bypass Through User-Controlled Key vulnerability in CB Project Ltd. Co. CVLand allows Parameter Injection. This issue affects CVLand: from 2.1.0 through 20251103. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-639 (Authorization Bypass Through User-Controlled Key) involves the application using a user-controlled value as a key to make authorization decisions. An attacker can conduct a Parameter Injection attack by modifying request parameters in such a way as to gain access to resources or functions for which they normally do not have permissions. The attack vector is network-based (AV:N), does not require victim interaction or high privileges (a regular user account is sufficient), and the attack scope covers components beyond the application itself (S:C).

Impact

An attacker with a basic account in the system can bypass access control mechanisms, gaining unauthorized access to other users' data or sensitive system resources, and potentially modifying data and disrupting application functionality.

Mitigation & patch

Patches available from the manufacturer should be applied according to the references. It should be noted that the manufacturer did not respond to contact attempts as part of responsible vulnerability disclosure, which may indicate that no fix is available — in such case, it is recommended to consider disabling or isolating the application until a patch is released.

Who is affected

CVLand by CB Project Ltd. Co. in versions from 2.1.0 to 20251103 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References