CVE-2025-41097
📋 TL;DR
This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner software that allows authenticated users to access basic employee details using unauthorized internal identifiers. The vulnerability affects organizations using BOLD Workplanner versions prior to 2.5.25. Attackers can exploit this to view employee information they shouldn't have access to.
💻 Affected Systems
- BOLD Workplanner
📦 What is this software?
Bold Workplanner by Boldworkplanner
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious insider could systematically enumerate and access sensitive employee data (names, contact details, work information) leading to privacy violations, identity theft, or social engineering attacks.
Likely Case
Authenticated users accessing limited employee details they're not authorized to view, potentially violating privacy regulations and internal policies.
If Mitigated
Minimal impact with proper access controls, logging, and monitoring in place to detect unauthorized access attempts.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple - attackers can manipulate object identifiers in requests to access unauthorized data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.25 or later
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-gps-bold-workplanner
Restart Required: No
Instructions:
1. Identify current BOLD Workplanner version. 2. Upgrade to version 2.5.25 or later. 3. Verify the update includes commit 4935b438f9b. 4. Test application functionality post-upgrade.
🔧 Temporary Workarounds
Implement API-level access controls
allAdd server-side authorization checks for all object references before returning data
Use indirect reference maps
allReplace direct object references with temporary, user-specific tokens that map to actual objects
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to detect and block suspicious parameter manipulation
- Enhance logging and monitoring for unauthorized access attempts to employee data endpoints
🔍 How to Verify
Check if Vulnerable:
Check if BOLD Workplanner version is earlier than 2.5.25. Test by attempting to access employee details using modified object identifiers while authenticated.Check Version:
Check application version in admin interface or configuration files specific to BOLD Workplanner deploymentVerify Fix Applied:
After upgrading to 2.5.25+, attempt to access employee details using unauthorized identifiers - requests should be rejected with proper authorization errors.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts for employee data endpoints
- Access to employee records by users not authorized for those employees
- Unusual pattern of employee ID parameter values in requests
Network Indicators:
- HTTP requests with sequential or manipulated employee ID parameters
- Unusual volume of requests to employee data endpoints
SIEM Query:
source="bold-workplanner" AND (event_type="data_access" OR endpoint="*/employee/*") AND (user NOT IN authorized_users_for_resource)