CVE-2025-41092
📋 TL;DR
This IDOR vulnerability in BOLD Workplanner allows authenticated users to access time records details using unauthorized internal identifiers due to insufficient input validation. It affects organizations using BOLD Workplanner versions before 2.5.25. The vulnerability enables unauthorized data access but requires authentication.
💻 Affected Systems
- BOLD Workplanner
📦 What is this software?
Bold Workplanner by Boldworkplanner
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious insider could access sensitive time records of all employees, potentially exposing salary information, work hours, and confidential project data, leading to privacy violations and data breaches.
Likely Case
Authenticated users accessing time records they shouldn't have permission to view, potentially exposing colleague work hours and project assignments.
If Mitigated
With proper access controls and input validation, only authorized users can access their own time records, preventing unauthorized data exposure.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of internal identifier patterns. No public exploit code is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.25 (4935b438f9b)
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-gps-bold-workplanner
Restart Required: No
Instructions:
1. Download BOLD Workplanner version 2.5.25 or later. 2. Follow vendor upgrade procedures. 3. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Implement additional access controls
allAdd server-side authorization checks for all time record access requests
Application-specific implementation required
Use indirect reference maps
allReplace direct internal identifiers with mapped references that require authorization validation
Application-specific implementation required
🧯 If You Can't Patch
- Implement strict access control lists (ACLs) for time record endpoints
- Monitor and audit all time record access attempts for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check if BOLD Workplanner version is earlier than 2.5.25 by examining the application version in admin interface or configuration filesCheck Version:
Application-specific - check admin panel or configuration files for version informationVerify Fix Applied:
Confirm version is 2.5.25 or later and test that authenticated users cannot access time records using unauthorized identifiers📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts for time record access
- Access to time records with sequential or unusual identifier patterns
- User accessing time records outside their normal scope
Network Indicators:
- Unusual patterns of requests to time record endpoints
- Requests with manipulated identifier parameters
SIEM Query:
source="bold-workplanner" AND (event_type="time_record_access" AND user_id!=record_owner_id) OR (parameter="record_id" AND value_pattern="unusual")