CVE-2025-0744 - Vulnerability Details - OpenCVE

an Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker change his subscription plan without paying by making a POST request changing the parameters of the "/demos/embedai/pmt_cash_on_delivery/pay" endpoint.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Thesamur	Embedai

Configuration 1 [-]

cpe:2.3:a:thesamur:embedai:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai

History

Wed, 08 Oct 2025 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Thesamur Thesamur embedai
CPEs		cpe:2.3:a:thesamur:embedai::::::::
Vendors & Products		Thesamur Thesamur embedai

Tue, 18 Feb 2025 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-863

Thu, 30 Jan 2025 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-863
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 30 Jan 2025 11:30:00 +0000

Type	Values Removed	Values Added
Description		an Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker change his subscription plan without paying by making a POST request changing the parameters of the "/demos/embedai/pmt_cash_on_delivery/pay" endpoint.
Title		Improper Access Control vulnerability in EmbedAI
Weaknesses		CWE-284
References		https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2025-01-30T11:17:25.952Z

Updated: 2025-02-18T19:03:02.490Z

Reserved: 2025-01-27T12:21:51.792Z

Link: CVE-2025-0744

Vulnrichment

Updated: 2025-01-30T13:44:09.732Z

NVD

Status : Analyzed

Published: 2025-01-30T12:15:27.843

Modified: 2025-10-08T19:18:30.310

Link: CVE-2025-0744

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-0744", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2025-01-27T12:21:51.792Z", "datePublished": "2025-01-30T11:17:25.952Z", "dateUpdated": "2025-02-18T19:03:02.490Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "EmbedAI", "vendor": "EmbedAI", "versions": [{"lessThan": "2.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)"}], "datePublic": "2025-01-30T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "an Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker change his subscription plan without paying by making a POST request changing the parameters of the \"/demos/embedai/pmt_cash_on_delivery/pay\" endpoint."}], "value": "an Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker change his subscription plan without paying by making a POST request changing the parameters of the \"/demos/embedai/pmt_cash_on_delivery/pay\" endpoint."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2025-01-30T11:17:25.952Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The vulnerability has been resolved by EmbedAI team in version 2.1."}], "value": "The vulnerability has been resolved by EmbedAI team in version 2.1."}], "source": {"discovery": "EXTERNAL"}, "title": "Improper Access Control vulnerability in EmbedAI", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-30T13:36:37.058088Z", "id": "CVE-2025-0744", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-18T19:03:02.490Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0744", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-30T13:36:37.058088Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-30T13:44:09.732Z"}}], "cna": {"title": "Improper Access Control vulnerability in EmbedAI", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "EmbedAI", "product": "EmbedAI", "versions": [{"status": "affected", "version": "0", "lessThan": "2.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The vulnerability has been resolved by EmbedAI team in version 2.1.", "supportingMedia": [{"type": "text/html", "value": "The vulnerability has been resolved by EmbedAI team in version 2.1.", "base64": false}]}], "datePublic": "2025-01-30T11:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "an Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker change his subscription plan without paying by making a POST request changing the parameters of the \"/demos/embedai/pmt_cash_on_delivery/pay\" endpoint.", "supportingMedia": [{"type": "text/html", "value": "an Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker change his subscription plan without paying by making a POST request changing the parameters of the \"/demos/embedai/pmt_cash_on_delivery/pay\" endpoint.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2025-01-30T11:17:25.952Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0744", "state": "PUBLISHED", "dateUpdated": "2025-02-18T19:03:02.490Z", "dateReserved": "2025-01-27T12:21:51.792Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2025-01-30T11:17:25.952Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thesamur:embedai:*:*:*:*:*:*:*:*", "matchCriteriaId": "A81F2612-1390-41C8-99A6-710A2EBB498A", "versionEndExcluding": "2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "an Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker change his subscription plan without paying by making a POST request changing the parameters of the \"/demos/embedai/pmt_cash_on_delivery/pay\" endpoint."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de control de acceso inadecuado en EmbedAI 2.1 y versiones anteriores. Esta vulnerabilidad permite a un atacante autenticado cambiar su plan de suscripci\u00f3n sin pagar mediante una solicitud POST que cambia los par\u00e1metros de \"/demos/embedai/pmt_cash_on_delivery/pay\" endpoint."}], "id": "CVE-2025-0744", "lastModified": "2025-10-08T19:18:30.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-01-30T12:15:27.843", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}