CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42605 – Improper Access Control Vulnerability in Meon Bidding Solutions
https://notcve.org/view.php?id=CVE-2025-42605
23 Apr 2025 — This vulnerability exists in Meon Bidding Solutions due to improper authorization controls on certain API endpoints for the initiation, modification, or cancellation operations. An authenticated remote attacker could exploit this vulnerability by manipulating parameter in the API request body to gain unauthorized access to other user accounts. Successful exploitation of this vulnerability could allow remote attacker to perform authorized manipulation of data associated with other user accounts. • https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2025-0082 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42604 – Detailed Error Response Vulnerability in Meon KYC solutions
https://notcve.org/view.php?id=CVE-2025-42604
23 Apr 2025 — This vulnerability exists in Meon KYC solutions due to debug mode is enabled in certain API endpoints. A remote attacker could exploit this vulnerability by accessing certain unauthorized API endpoints leading to detailed error messages as response leading to disclosure of system related information. • https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2025-0082 • CWE-1295: Debug Messages Revealing Unnecessary Information •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42603 – Information Disclosure Vulnerability in Meon KYC solutions
https://notcve.org/view.php?id=CVE-2025-42603
23 Apr 2025 — This vulnerability exists in the Meon KYC solutions due to transmission of sensitive data in plain text within the response payloads of certain API endpoints. An authenticated remote attacker could exploit this vulnerability by intercepting API response that contains unencrypted sensitive information belonging to other users. Successful exploitation of this vulnerability could allow remote attacker to impersonate the target user and gain unauthorized access to the user account. • https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2025-0082 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42602 – Improper Authentication Vulnerability in Meon KYC solutions
https://notcve.org/view.php?id=CVE-2025-42602
23 Apr 2025 — This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating the responses through API request body leading to unauthorized access of other user accounts. • https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2025-0082 • CWE-384: Session Fixation CWE-613: Insufficient Session Expiration •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42601 – Captcha Bypass Vulnerability in Meon KYC solutions
https://notcve.org/view.php?id=CVE-2025-42601
23 Apr 2025 — This vulnerability exists in Meon KYC solutions due to insufficient server-side validation of the Captcha in certain API endpoints. A remote attacker could exploit this vulnerability by intercepting the request and removing the Captcha parameter leading to bypassing the Captcha verification mechanism. • https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2025-0082 • CWE-602: Client-Side Enforcement of Server-Side Security •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42600 – Brute Force Attack Vulnerability in Meon KYC solutions
https://notcve.org/view.php?id=CVE-2025-42600
23 Apr 2025 — This vulnerability exists in Meon KYC solutions due to missing restrictions on the number of incorrect One-Time Password (OTP) attempts through certain API endpoints of login process. A remote attacker could exploit this vulnerability by performing a brute force attack on OTP, which could lead to gain unauthorized access to other user accounts. • https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2025-0082 • CWE-307: Improper Restriction of Excessive Authentication Attempts •