CVE-2025-41010 – An incorrect CORS configuration in Hiberus Sint... (How to Fix)

📋 TL;DR

An incorrect CORS configuration in Hiberus Sintra allows attackers to perform cross-origin requests with credentials, potentially enabling unauthorized privileged actions and access to confidential information. This affects organizations using Hiberus Sintra with vulnerable configurations.

💻 Affected Systems

Products:

Hiberus Sintra

Versions: Specific versions not specified in advisory

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when Access-Control-Allow-Credentials is enabled with overly permissive CORS origins

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could perform administrative actions, access sensitive user data, or compromise the entire application by exploiting the misconfigured CORS policy.

🟠

Likely Case

Attackers could steal session cookies, perform CSRF attacks, or access user-specific data through malicious websites.

🟢

If Mitigated

With proper CORS configuration, cross-origin requests would be properly restricted, preventing unauthorized access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires a malicious website that the victim visits, but no authentication to the target application

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in advisory

Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/cross-origin-resource-sharing-cors-hiberus-sintra

Restart Required: No

Instructions:

1. Update Hiberus Sintra to latest version
2. Review and correct CORS configuration
3. Ensure Access-Control-Allow-Origin is not set to wildcard (*) when credentials are enabled

🔧 Temporary Workarounds

Restrict CORS Origins

all

Configure CORS to only allow specific trusted origins instead of wildcards

Disable Credentials in CORS

all

Set Access-Control-Allow-Credentials to false if not required

🧯 If You Can't Patch

Implement WAF rules to block malicious cross-origin requests
Use Content Security Policy (CSP) headers to restrict script sources

🔍 How to Verify

Check if Vulnerable:

Test CORS configuration by sending cross-origin requests with credentials and checking if they are improperly allowed

Check Version:

Check Hiberus Sintra documentation for version information

Verify Fix Applied:

Verify that cross-origin requests with credentials are properly rejected unless from explicitly allowed origins

📡 Detection & Monitoring

Log Indicators:

Unusual cross-origin requests
Requests with unexpected Origin headers

Network Indicators:

Cross-origin requests with credentials to sensitive endpoints

SIEM Query:

web.access AND (origin:* OR referer:*malicious*) AND status:200

📊 Metadata

CVE ID: CVE-2025-41010

CVSS v3 Score: N/A (Unknown)

CWE: CWE-942

EPSS Score: 0.08% exploit probability (23.4th percentile)

Published: October 2, 2025

Last Updated: October 2, 2025

🔗 References

https://www.incibe.es/en/incibe-cert/notices/aviso/cross-origin-resource-sharing-cors-hiberus-sintra

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-41010, you might also want to check these: