CVE-2025-48881
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-48881
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48881.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-48881
- Aliases
- Published
- 2025-05-30T06:15:28Z
- Modified
- 2025-06-05T10:50:26.534298Z
- Summary
- [none]
- Details
-
Valtimo is a platform for Business Process Automation. In versions starting from 11.0.0.RELEASE to 11.3.3.RELEASE and 12.0.0.RELEASE to 12.12.0.RELEASE, all objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by unauthorised users. If object-urls are exposed via other channels, the contents of these objects can be viewed independent of object-management configurations. This issue has been patched in version 12.13.0.RELEASE. A workaround for this issue involves overriding the endpoint security as defined in ObjectenApiHttpSecurityConfigurer and ObjectManagementHttpSecurityConfigurer. Depending on the implementation, this could result in loss of functionality.
- References
Affected packages
Git / github.com/valtimo-platform/valtimo-backend-libraries
Affected ranges
- Type
- GIT
- Repo
- https://github.com/valtimo-platform/valtimo-backend-libraries
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
10.*
10.0.0.RELEASE
10.1.0.RELEASE
10.2.0.RELEASE
10.3.0.RELEASE
10.8.0.RELEASE
10.8.2.RELEASE
11.*
11.0.0.RELEASE
11.1.1.RELEASE
11.1.4.RELEASE
11.1.5.RELEASE
11.3.2.RELEASE
12.*
12.0.0.RELEASE
12.11.0.RELEASE
12.8.0.RELEASE
12.9.0.RELEASE
9.*
9.1.0.RELEASE
9.10.0.RELEASE
9.11.0.RELEASE
9.12.0.RELEASE
9.13.0.RELEASE
9.14.0.RELEASE
9.15.0.RELEASE
9.17.0.RELEASE
9.18.0.RELEASE
9.19.0.RELEASE
9.2.0.RELEASE
9.20.0.RELEASE
9.21.0.RELEASE
9.22.0.RELEASE
9.23.0.RELEASE
9.24.0.RELEASE
9.25.0.RELEASE
9.26.0.RELEASE
9.3.1.RELEASE
9.4.0.RELEASE
9.5.0.RELEASE
9.6.0.RELEASE
9.6.1.RELEASE
9.7.0.RELEASE
9.7.1.RELEASE
9.8.0.RELEASE
9.9.0.RELEASE