CRITICAL🇵🇱 Wersja polska

CVE-2025-8350

CVSS 9.8v3.1pub. 2026-02-19upd. 2026-06-05

Execution After Redirect (EAR), Missing Authentication for Critical Function vulnerability in Inrove Software and Internet Services BiEticaret CMS allows Authentication Bypass, HTTP Response Splitting. This issue affects BiEticaret CMS: from 2.1.13 through 19022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

🤖 AI Analysis
How it works

The vulnerability results from two related weaknesses: CWE-306 (missing authentication for critical function) and CWE-698 (Execution After Redirect). The EAR mechanism works by the application sending a redirect response to the user, but simultaneously continuing to execute server-side code — before the client is actually redirected. An attacker can thereby gain access to protected resources or functions without needing a valid session. Additionally, HTTP Response Splitting is possible, which can lead to injection of malicious HTTP headers.

Impact

A remote, unauthenticated attacker can bypass authorization mechanisms, gain access to protected administrative functions, and potentially take control of the application — violating the confidentiality, integrity, and availability of the system.

Mitigation & patch

Patches available from the manufacturer should be applied according to the references. Note: the manufacturer (Inrove Software and Internet Services) did not respond to the vulnerability report before its disclosure — in case of no official patch, it is recommended to consider temporarily disconnecting the system from the Internet or implementing firewall rules blocking unauthorized access to critical application paths until an update is released.

Who is affected

BiEticaret CMS in versions from 2.1.13 to 19022026 (inclusive).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References