5.3 CVE-2025-4064

A vulnerability was found in ScriptAndTools Online-Travling-System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/viewenquiry.php. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
https://nvd.nist.gov/vuln/detail/CVE-2025-4064

Categories

CWE-266 : Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. untrusted user placed in unix "wheel" group Product allows users to grant themselves certain rights that can be used to escalate privileges. Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue. Product mistakenly assigns a particular status to an entity, leading to increased privileges.

CWE-862 : Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action. "AuthZ" is typically used as an abbreviation of "authorization" within the web application security community. It is distinct from "AuthN" (or, sometimes, "AuthC") which is an abbreviation of "authentication." The use of "Auth" as an abbreviation is discouraged, since it could be used for either authentication or authorization. Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic. Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7]. Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs. Go-based continuous deployment product does not check that a user has certain privileges to update or create an app, allowing adversaries to read sensitive repository information Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords. Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request. Terminal server does not check authorization for guest access. System monitoring software allows users to bypass authorization by creating custom forms. Content management system does not check access permissions for private files, allowing others to view those files. Product does not check the ACL of a page accessed using an "include" directive, allowing attackers to read unauthorized files. Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users. Database server does not use appropriate privileges for certain sensitive operations. Gateway uses default "Allow" configuration for its authorization settings. Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges. Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect. Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client. Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access. Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions. Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries. Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header. OS kernel does not check for a certain privilege before setting ACLs for files. Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied. Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions. Chain: unchecked return value (CWE-252) of some functions for policy enforcement leads to authorization bypass (CWE-862)

References

cna@vuldb.com

https://vuldb.com/?ctiid.306501 Permissions Required VDB Entry
https://vuldb.com/?id.306501 Third Party Advisory VDB Entry
https://vuldb.com/?submit.559467 Third Party Advisory VDB Entry
https://www.websecurityinsights.my.id/2025/04/script-and-tools-online-travlin... Third Party Advisory

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:scriptandtools:online_traveling_system:1.0:::::::*

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
665	Exploitation of Thunderbolt Protection Flaws [Survey physical victim environment and potential Thunderbolt system targets] The adversary monitors the target's physical environment to identify systems with Thunderbolt interfaces, identify potential weaknesses in physical security in addition to periods of nonattendance by the victim over their Thunderbolt interface equipped devices, and when the devices are in locked or sleep state. [Evaluate the target system and its Thunderbolt interface] The adversary determines the device's operating system, Thunderbolt interface version, and any implemented Thunderbolt protections to plan the attack. [Obtain and/or clone firmware image] The adversary physically manipulates Thunderbolt enabled devices to acquire the firmware image from the target and/or adversary Thunderbolt host controller's SPI (Serial Peripheral Interface) flash. [Parse and locate relevant firmware data structures and information based upon Thunderbolt controller model, firmware version, and other information] The acquired victim and/or adversary firmware image is parsed for specific data and other relevant identifiers required for exploitation, based upon the victim device information and firmware version. [Disable Thunderbolt security and prevent future Thunderbolt security modifications (if necessary)] The adversary overrides the target device's Thunderbolt Security Level to "None" (SL0) and/or enables block protections upon the SPI flash to prevent the ability for the victim to perform and/or recognize future Thunderbolt security modifications as well as update the Thunderbolt firmware. [Modify/replace victim Thunderbolt firmware image] The modified victim and/or adversary thunderbolt firmware image is written to attacker SPI flash. [Connect adversary-controlled thunderbolt enabled device to victim device and verify successful execution of malicious actions] The adversary needs to determine if their exploitation of selected vulnerabilities had the intended effects upon victim device. [Exfiltration of desired data from victim device to adversary device] Utilize PCIe tunneling to transfer desired data and information from victim device across Thunderbolt connection.	Very High

MITRE

Techniques

id	description
T1211	Exploitation for Defensive Evasion
T1542.002	Pre-OS Boot:Component Firmware
T1556	Modify Authentication Process
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id	description
M1051	Update software regularly by employing patch management for internal enterprise endpoints and servers.
M1051	Perform regular firmware updates to mitigate risks of exploitation and/or abuse.
M1018	Ensure that proper policies are implemented to dictate the the secure enrollment and deactivation of authentication mechanisms, such as MFA, for user accounts.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee