CVE-2025-41096
📋 TL;DR
This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner software that allows authenticated users to access contract date information using unauthorized internal identifiers. The vulnerability affects BOLD Workplanner versions prior to 2.5.25 (specifically before commit 4935b438f9b). This impacts organizations using vulnerable versions of BOLD Workplanner for workforce management.
💻 Affected Systems
- BOLD Workplanner
📦 What is this software?
Bold Workplanner by Boldworkplanner
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious insider could access sensitive contract details of other employees, potentially enabling data theft, privacy violations, or preparation for further attacks.
Likely Case
Authenticated users could view contract dates they shouldn't have access to, leading to unauthorized information disclosure and potential privacy violations.
If Mitigated
With proper access controls and input validation, the impact would be limited to minimal information disclosure with no ability to modify data.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of internal identifiers. The vulnerability is in the validation of user input for object references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.25 (commit 4935b438f9b or later)
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-gps-bold-workplanner
Restart Required: No
Instructions:
1. Update BOLD Workplanner to version 2.5.25 or later. 2. Verify the update includes commit 4935b438f9b. 3. Test functionality after update.
🔧 Temporary Workarounds
Implement additional access controls
allAdd server-side authorization checks for all object references to ensure users can only access their own contract data
Input validation enhancement
allImplement strict validation of all internal identifiers passed in requests to ensure they belong to the authenticated user
🧯 If You Can't Patch
- Implement network segmentation to isolate the BOLD Workplanner application from other sensitive systems
- Enable detailed logging and monitoring of all access to contract data endpoints
🔍 How to Verify
Check if Vulnerable:
Check BOLD Workplanner version. If version is earlier than 2.5.25 or doesn't include commit 4935b438f9b, the system is vulnerable.Check Version:
Check application version through BOLD Workplanner admin interface or configuration filesVerify Fix Applied:
Verify the installed version is 2.5.25 or later and includes commit 4935b438f9b. Test that authenticated users cannot access other users' contract dates by manipulating identifiers.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts for contract data access
- Unauthorized access patterns to contract endpoints
- Requests with manipulated internal identifiers
Network Indicators:
- Unusual patterns of requests to contract data endpoints from single users
- Requests with sequential or predictable identifier patterns
SIEM Query:
source="bold-workplanner" AND (event_type="contract_access" OR uri="*/contract*") AND user_id!=target_user_id