← Back
2025-12-27 10:32CVE-2025-15106VulDB
PUBLISHED5.2CWE-285CWE-266

getmaxun Authentication Endpoint auth.ts router.get improper authorization

A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Problem type

Affected products

getmaxun

maxun

0.0.1 - AFFECTED

0.0.2 - AFFECTED

0.0.3 - AFFECTED

0.0.4 - AFFECTED

0.0.5 - AFFECTED

0.0.6 - AFFECTED

0.0.7 - AFFECTED

0.0.8 - AFFECTED

0.0.9 - AFFECTED

0.0.10 - AFFECTED

0.0.11 - AFFECTED

0.0.12 - AFFECTED

0.0.13 - AFFECTED

0.0.14 - AFFECTED

0.0.15 - AFFECTED

0.0.16 - AFFECTED

0.0.17 - AFFECTED

0.0.18 - AFFECTED

0.0.19 - AFFECTED

0.0.20 - AFFECTED

0.0.21 - AFFECTED

0.0.22 - AFFECTED

0.0.23 - AFFECTED

0.0.24 - AFFECTED

0.0.25 - AFFECTED

0.0.26 - AFFECTED

0.0.27 - AFFECTED

0.0.28 - AFFECTED

References

VDB-338477 | getmaxun Authentication Endpoint auth.ts router.get improper authorization

https://vuldb.com/?id.338477

vdb-entrytechnical-description
VDB-338477 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.338477

signaturepermissions-required
Submit #710268 | https://github.com/getmaxun https://github.com/getmaxun/maxun ≤ v0.0.28 Authentication Bypass Issues

https://vuldb.com/?submit.710268

third-party-advisory
gist.github.com

https://gist.github.com/H2u8s/1a0bdb19d5c8c8f4dc72cb49ffe9a22b

exploit

GitHub Security Advisories

GHSA-72f9-ghc4-fpv2

A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the...

https://github.com/advisories/GHSA-72f9-ghc4-fpv2

A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2025-15106

gist.github.com

https://gist.github.com/H2u8s/1a0bdb19d5c8c8f4dc72cb49ffe9a22b

vuldb.com

https://vuldb.com/?ctiid.338477

vuldb.com

https://vuldb.com/?id.338477

vuldb.com

https://vuldb.com/?submit.710268

github.com

https://github.com/advisories/GHSA-72f9-ghc4-fpv2

JSON source

https://cveawg.mitre.org/api/cve/CVE-2025-15106
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2025-15106",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2025-12-27T10:32:05.218Z",
    "dateReserved": "2025-12-26T18:10:58.997Z",
    "datePublished": "2025-12-27T10:32:05.218Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2025-12-27T10:32:05.218Z"
      },
      "title": "getmaxun Authentication Endpoint auth.ts router.get improper authorization",
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "affected": [
        {
          "vendor": "getmaxun",
          "product": "maxun",
          "modules": [
            "Authentication Endpoint"
          ],
          "versions": [
            {
              "version": "0.0.1",
              "status": "affected"
            },
            {
              "version": "0.0.2",
              "status": "affected"
            },
            {
              "version": "0.0.3",
              "status": "affected"
            },
            {
              "version": "0.0.4",
              "status": "affected"
            },
            {
              "version": "0.0.5",
              "status": "affected"
            },
            {
              "version": "0.0.6",
              "status": "affected"
            },
            {
              "version": "0.0.7",
              "status": "affected"
            },
            {
              "version": "0.0.8",
              "status": "affected"
            },
            {
              "version": "0.0.9",
              "status": "affected"
            },
            {
              "version": "0.0.10",
              "status": "affected"
            },
            {
              "version": "0.0.11",
              "status": "affected"
            },
            {
              "version": "0.0.12",
              "status": "affected"
            },
            {
              "version": "0.0.13",
              "status": "affected"
            },
            {
              "version": "0.0.14",
              "status": "affected"
            },
            {
              "version": "0.0.15",
              "status": "affected"
            },
            {
              "version": "0.0.16",
              "status": "affected"
            },
            {
              "version": "0.0.17",
              "status": "affected"
            },
            {
              "version": "0.0.18",
              "status": "affected"
            },
            {
              "version": "0.0.19",
              "status": "affected"
            },
            {
              "version": "0.0.20",
              "status": "affected"
            },
            {
              "version": "0.0.21",
              "status": "affected"
            },
            {
              "version": "0.0.22",
              "status": "affected"
            },
            {
              "version": "0.0.23",
              "status": "affected"
            },
            {
              "version": "0.0.24",
              "status": "affected"
            },
            {
              "version": "0.0.25",
              "status": "affected"
            },
            {
              "version": "0.0.26",
              "status": "affected"
            },
            {
              "version": "0.0.27",
              "status": "affected"
            },
            {
              "version": "0.0.28",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Authorization",
              "cweId": "CWE-285",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Incorrect Privilege Assignment",
              "cweId": "CWE-266",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/?id.338477",
          "name": "VDB-338477 | getmaxun Authentication Endpoint auth.ts router.get improper authorization",
          "tags": [
            "vdb-entry",
            "technical-description"
          ]
        },
        {
          "url": "https://vuldb.com/?ctiid.338477",
          "name": "VDB-338477 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/?submit.710268",
          "name": "Submit #710268 | https://github.com/getmaxun https://github.com/getmaxun/maxun  ≤ v0.0.28 Authentication Bypass Issues",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://gist.github.com/H2u8s/1a0bdb19d5c8c8f4dc72cb49ffe9a22b",
          "tags": [
            "exploit"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "baseScore": 6.5
          }
        }
      ],
      "timeline": [
        {
          "time": "2025-12-26T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2025-12-26T01:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2025-12-26T19:16:07.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "28Hus (VulDB User)",
          "type": "reporter"
        }
      ]
    }
  }
}