CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionNVD
Authorization Bypass Through User-Controlled Key vulnerability in CB Project Ltd. Co. CVLand allows Parameter Injection.This issue affects CVLand: from 2.1.0 through 20251103. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
CVLand versions 2.1.0 through 20251103 by CB Project Ltd. Co. permit authenticated attackers to bypass authorization controls via parameter injection, enabling elevated privilege actions and unauthorized access to sensitive data. The CVSS score of 9.9 reflects network-based exploitation with low complexity and scope change allowing high confidentiality and integrity impact. EPSS probability is 0.07% (22nd percentile), indicating relatively low observed exploitation likelihood despite the critical severity rating. No public exploit identified at time of analysis, though the vendor was notified and did not respond.
Technical ContextAI
This vulnerability is rooted in CWE-639 (Authorization Bypass Through User-Controlled Key), where the application uses attacker-controlled input to select authorization objects or decision paths. In CVLand, authenticated users can inject or manipulate parameters that reference authorization keys, permission identifiers, or access control tokens, allowing them to assume privileges beyond their assigned role. The CVSS vector PR:L indicates low-privilege authentication is required, but the S:C (scope changed) modifier shows the attacker can impact resources beyond their authorized boundary. Parameter injection attacks typically exploit insufficient input validation where user-supplied values directly control access control logic, session identifiers, or role assignments without proper verification that the user is entitled to the referenced privilege level.
Affected ProductsAI
CB Project Ltd. Co. CVLand versions from 2.1.0 through 20251103 are affected by this authorization bypass vulnerability. The version range indicates approximately four years of vulnerable releases assuming semantic versioning where 20251103 represents a 2025 November 3rd build. The vulnerability was reported by [email protected] (Turkish National Cyber Incident Response Center - USOM) and documented in their advisory at https://www.usom.gov.tr/bildirim/tr-25-0371. Additional technical details are available through VulDB advisory entry 330920 at https://vuldb.com/?id.330920. No CPE strings were provided in the available intelligence data for automated scanning identification.
RemediationAI
No vendor-released patch identified at time of analysis, as CB Project Ltd. Co. was contacted during coordinated disclosure but did not respond. Organizations running CVLand should monitor the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0371 and VulDB entry https://vuldb.com/?id.330920 for updates on patch availability. Until a fix is released, implement defense-in-depth controls: enforce strict input validation on all user-supplied parameters, implement server-side authorization checks that verify user permissions independently of client-supplied values, deploy web application firewall rules to detect parameter injection patterns, restrict CVLand access to trusted IP ranges via network segmentation, enable comprehensive audit logging for authorization decisions and privilege escalation attempts, and consider migrating to actively maintained alternatives given the vendor's non-responsiveness to security disclosures.
Share
External POC / Exploit Code
Leaving vuln.today