SoliClub
CVE-2025-1030
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Utarit Informatics Services Inc. SoliClub allows Query System for Information.
This issue affects SoliClub: from 5.2.4 before 5.3.7.
AnalysisAI
Information disclosure in Utarit Informatics SoliClub Android app versions 5.2.4 through 5.3.6 allows remote unauthenticated attackers to query the system and retrieve private personal information belonging to other users. The flaw stems from inadequate access controls on a query interface, and while CVSS rates it 7.5 (High), the EPSS probability of exploitation is very low (0.04%, 13th percentile) and no public exploit identified at time of analysis.
Technical ContextAI
SoliClub is an Android mobile application developed by Turkey-based Utarit Informatics Services Inc., identified by CPE cpe:2.3:a:utarit:soliclub:*:*:*:*:*:android:*:*. The root cause is CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor), meaning the application's backend query system exposes PII without enforcing proper authorization checks on who may request which records. This class of weakness typically arises when an API endpoint validates the request format but not whether the requesting user is permitted to access the queried subject's data, enabling enumeration or direct object reference abuse against PII fields.
RemediationAI
Upgrade the SoliClub Android application to version 5.3.7 or later, which is the first release outside the affected range per the NVD version constraint (Vendor-released patch: 5.3.7). Administrators of enterprise mobile fleets should push the update via MDM and verify installed versions; end users should update through the Google Play Store. Until updates are deployed, compensating controls are limited because the issue is server-side query exposure, but operators of the backend should consider temporarily restricting or rate-limiting the affected query endpoint and reviewing access logs for anomalous lookup patterns indicative of PII enumeration - note that rate-limiting will degrade legitimate user experience and is only a stopgap. Consult the USOM advisories at https://www.usom.gov.tr/bildirim/tr-25-0466 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0466 for any vendor-coordinated guidance.
Authorization Bypass Through User-Controlled Key, Missing Authorization vulnerability in Utarit Information SoliClub all
Authorization Bypass Through User-Controlled Key vulnerability in Utarit Information SoliClub allows Exploiting Incorrec
Hard-coded credentials in Utarit Informatics SoliClub Android application versions prior to 5.3.7 allow remote unauthent
Authorization bypass in Utarit Informatics SoliClub Android application versions 5.2.4 through 5.3.6 allows remote unaut
Hard-coded credentials in Utarit Information Services SoliClub Android app (versions 5.2.4 through 5.3.7) allow remote u
Missing authorization controls in the SoliClub Android application (all versions before 5.3.7) allow authenticated low-p
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today