CVE-2025-41113
📋 TL;DR
An authorization bypass vulnerability in CanalDenuncia.app allows attackers to access other users' confidential reports by manipulating the 'id_denuncia' parameter in a POST request. This affects all users of the application who submit or manage reports through the vulnerable endpoint.
💻 Affected Systems
- CanalDenuncia.app
📦 What is this software?
Canaldenuncia.app by Canaldenuncia
⚠️ Risk & Real-World Impact
Worst Case
Mass data breach exposing all user-submitted reports including sensitive whistleblower information, personal details, and confidential organizational data.
Likely Case
Targeted data extraction of specific reports containing sensitive information that could be used for blackmail, identity theft, or corporate espionage.
If Mitigated
Limited exposure if proper authentication and authorization checks are implemented, restricting access to only authorized users' own reports.
🎯 Exploit Status
Exploitation requires sending a POST request with manipulated 'id_denuncia' parameter; no authentication bypass needed beyond accessing the endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in reference
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-canaldenunciaapp
Restart Required: Yes
Instructions:
1. Contact CanalDenuncia.app vendor for patched version. 2. Apply security update to web server. 3. Restart web service. 4. Verify authorization checks are properly implemented.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock or monitor POST requests to '/backend/api/buscarDenunciaByPin.php' with suspicious id_denuncia parameters
WAF-specific configuration required
Endpoint Restriction
linuxRestrict access to the vulnerable endpoint using IP whitelisting or additional authentication layer
nginx: location ~ /backend/api/buscarDenunciaByPin\.php { allow 10.0.0.0/8; deny all; }
apache: <Location /backend/api/buscarDenunciaByPin.php> Require ip 10.0.0.0/8 </Location>
🧯 If You Can't Patch
- Implement strict input validation on id_denuncia parameter to ensure users can only access their own reports
- Add additional authentication token or session validation before processing buscarDenunciaByPin requests
🔍 How to Verify
Check if Vulnerable:
Send POST request to /backend/api/buscarDenunciaByPin.php with another user's report ID in id_denuncia parameter; if successful, vulnerability exists.Check Version:
Check application version through admin interface or contact vendorVerify Fix Applied:
Attempt same test after patch; should receive authorization error or empty response when trying to access other users' reports.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to buscarDenunciaByPin.php with different id_denuncia values from same IP/user
- Unusual access patterns to report data
Network Indicators:
- POST requests to vulnerable endpoint with sequential or random id_denuncia values
- Unusual data extraction patterns
SIEM Query:
source="web_logs" AND uri="/backend/api/buscarDenunciaByPin.php" AND method="POST" | stats count by src_ip, form_data.id_denuncia