CVE-2025-41091
📋 TL;DR
This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner that allows authenticated users to access calendar details using unauthorized internal identifiers. The vulnerability affects BOLD Workplanner versions prior to 2.5.25 (4935b438f9b). Attackers can exploit this to view sensitive calendar information they shouldn't have access to.
💻 Affected Systems
- BOLD Workplanner
📦 What is this software?
Bold Workplanner by Boldworkplanner
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could access all calendar details across the organization, potentially exposing sensitive scheduling information, meeting details, and confidential business activities.
Likely Case
Authenticated users can access calendar details of other users or departments they shouldn't have permission to view, leading to information disclosure and privacy violations.
If Mitigated
With proper input validation and authorization checks, users can only access calendar details they're explicitly authorized to view.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of internal object identifiers. Attackers would need to enumerate or guess valid identifiers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.25 (commit 4935b438f9b) or later
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-gps-bold-workplanner
Restart Required: No
Instructions:
1. Update BOLD Workplanner to version 2.5.25 or later. 2. Verify the update includes commit 4935b438f9b. 3. Test calendar functionality to ensure proper authorization checks are in place.
🔧 Temporary Workarounds
Implement API-level authorization checks
allAdd server-side authorization validation for all calendar API endpoints to verify users have permission to access requested calendar objects
Use indirect reference maps
allReplace direct object references with indirect references that are mapped server-side to actual objects with proper authorization checks
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block suspicious parameter manipulation in calendar requests
- Enable detailed logging for all calendar access attempts and monitor for unauthorized access patterns
🔍 How to Verify
Check if Vulnerable:
Check if BOLD Workplanner version is earlier than 2.5.25. Test by attempting to access calendar details using modified internal identifiers while authenticated as a different user.Check Version:
Check application version in admin panel or configuration files. For exact commit: verify presence of commit 4935b438f9b in version history.Verify Fix Applied:
After updating to 2.5.25 or later, attempt to access calendar details using unauthorized internal identifiers - all such attempts should be blocked or return access denied errors.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts for calendar objects
- Access to calendar objects with IDs outside user's normal range
- Unusual pattern of calendar access from single user
Network Indicators:
- HTTP requests with manipulated calendar ID parameters
- API calls to calendar endpoints with sequential or unusual ID values
SIEM Query:
source="bold-workplanner" AND (event="calendar_access" AND (user_id!=object_owner OR status="unauthorized"))