CVE-2025-2192 | THREATINT

Description

A vulnerability, which was classified as problematic, was found in Stoque Zeev.it 4.24. This affects an unknown part of the file /Login?inpLostSession=1 of the component Login Page. The manipulation of the argument inpRedirectURL leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Es wurde eine problematische Schwachstelle in Stoque Zeev.it 4.24 gefunden. Es geht dabei um eine nicht klar definierte Funktion der Datei /Login?inpLostSession=1 der Komponente Login Page. Mittels Manipulieren des Arguments inpRedirectURL mit unbekannten Daten kann eine server-side request forgery-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

Reserved 2025-03-11 | Published 2025-03-11 | Updated 2025-03-11 | Assigner VulDB

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

MEDIUM: 4.3CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

4.3AV:N/AC:M/Au:N/C:P/I:N/A:N

Problem types

Server-Side Request Forgery

Product status

4.24

affected

Timeline

2025-03-11:	Advisory disclosed
2025-03-11:	VulDB entry created
2025-03-11:	VulDB entry last update

Credits

Samuel Jesus (VulDB User) reporter

Samuel Jesus (VulDB User) analyst

References

vuldb.com/?id.299217 (VDB-299217 | Stoque Zeev.it Login Page server-side request forgery) vdb-entry technical-description

vuldb.com/?ctiid.299217 (VDB-299217 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/?submit.511708 (Submit #511708 | https://stoque.com.br Zeev 4.24 Zeev.it SSRF via inpRedirectURL Parameter on the Login Page) third-party-advisory

drive.google.com/...TUj8FDOVMwfl9-7j8LRcK4V/view?usp=sharing exploit

cve.org (CVE-2025-2192)

nvd.nist.gov (CVE-2025-2192)

Download JSON