Skip to main content

Menulux Mobile App CVE-2025-13474

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2025-12-16 iletisim@usom.gov.tr
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 07:35 vuln.today

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in Menulux Software Inc. Mobile App allows Exploitation of Trusted Identifiers.

This issue affects Mobile App: before 9.5.8.

AnalysisAI

Information disclosure in Menulux Mobile App versions prior to 9.5.8 allows remote unauthenticated attackers to access other users' data by manipulating trusted identifiers (IDOR-style flaw). The vulnerability falls under CWE-639 (Authorization Bypass Through User-Controlled Key) and was reported by Turkey's national CERT (USOM). There is no public exploit identified at time of analysis, and EPSS scoring places exploitation probability at just 0.04% (13th percentile).

Technical ContextAI

Menulux is a restaurant management and ordering platform whose mobile application handles customer and order data. The flaw is a CWE-639 issue, in which the application uses an identifier supplied by the client (such as an order ID, user ID, or session reference passed in a request parameter) to look up resources without verifying that the authenticated requester is authorized to access that specific object. This is the classic Insecure Direct Object Reference (IDOR) pattern: predictable or enumerable IDs combined with missing object-level authorization checks, enabling 'exploitation of trusted identifiers' by simply substituting one ID for another in API calls. No CPE strings were provided in the available intelligence, so exact technology stack details (backend framework, API surface) are not confirmed.

Affected ProductsAI

Menulux Software Inc. Mobile App, all versions prior to 9.5.8. No CPE was published with this CVE, and the only references available are the Turkish national CERT advisories at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0457 and https://www.usom.gov.tr/bildirim/tr-25-0457; no direct vendor security advisory URL was provided in the intelligence.

RemediationAI

Upgrade Menulux Mobile App to version 9.5.8 or later, which the advisory identifies as the fixed release (Vendor-released patch: 9.5.8). Consult the USOM advisories at https://www.usom.gov.tr/bildirim/tr-25-0457 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0457 for vendor coordination details. Because the fix is server-side as well as client-side for typical IDOR issues, organizations relying on the Menulux backend should confirm with the vendor that backend authorization checks have been deployed (client-only updates would not remediate an API-level IDOR). As compensating controls until updates are confirmed, monitor backend API access logs for enumeration patterns (sequential ID access, high-volume requests against object-fetch endpoints) and rate-limit those endpoints; if feasible, restrict mobile API access to authenticated sessions with short-lived tokens - the trade-off is potential friction for legitimate users and possible disruption to ordering flows.

Share

CVE-2025-13474 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy