DijiDemi CVE-2025-13125
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Exploitation of Trusted Identifiers.
This issue affects DijiDemi: through 28.11.2025.
AnalysisAI
DijiDemi, a platform by Im Park Information Technology, contains an authorization bypass vulnerability (CWE-639) that allows authenticated low-privileged users to access data belonging to other users by manipulating user-controlled identifier keys. Affecting all versions through 28.11.2025, the flaw enables horizontal privilege escalation - an attacker with a valid low-privilege account can exploit trusted identifiers to read confidential data outside their authorized scope. No public exploit code exists and no KEV listing is present; with an EPSS of 0.03% (10th percentile), active exploitation is not currently anticipated.
Technical ContextAI
CWE-639 (Authorization Bypass Through User-Controlled Key) is an Insecure Direct Object Reference (IDOR) class vulnerability. The application uses a key or identifier supplied or manipulable by the authenticated user - such as a record ID, token, or account number in a request parameter - to directly fetch or operate on resources without verifying that the requesting user is authorized to access that specific object. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) confirms the flaw is reachable over the network with low attack complexity and requires only a low-privileged account. No CPE string was provided in the source data; the affected product is identified by vendor name as DijiDemi, a Turkish software platform (education, press, publishing, advertising sector) reported by USOM (Turkey's national CERT, usom.gov.tr).
Affected ProductsAI
DijiDemi by Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. is affected in all versions through 28.11.2025 (interpreted as November 28, 2025). No CPE string was provided in the source data. Vendor advisory and detailed version information are published by Turkey's national CERT at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0442 and https://www.usom.gov.tr/bildirim/tr-25-0442.
RemediationAI
Consult the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0442 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0442 for vendor-specific remediation guidance; no exact patched version number was provided in the available intelligence data, so the patch availability status cannot be independently confirmed beyond what the vendor advisory states. As a compensating control, restrict account registration and limit the user base to trusted, verified users to reduce the pool of potential attackers who could exploit the low-privilege requirement. Additionally, implement server-side authorization checks that validate the requesting user's ownership or permission for each object key before returning data - this directly addresses the CWE-639 root cause. Review application logs for anomalous access patterns, such as sequential enumeration of record identifiers, as a detection measure. Note that blocking network access is not a viable mitigation given the application's purpose; access restriction at the account level is the most actionable short-term control.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today