Skip to main content

PaperWork CVE-2025-14101

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2025-12-17 iletisim@usom.gov.tr
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 07:35 vuln.today

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in GG Soft Software Services Inc. PaperWork allows Exploitation of Trusted Identifiers.

This issue affects PaperWork: from 5.2.0.9427 before 6.0.

AnalysisAI

Authorization bypass in GG Soft PaperWork versions 5.2.0.9427 through 6.0 allows authenticated remote attackers to access or modify resources belonging to other users by manipulating user-controlled identifiers (IDOR). The flaw was reported through Turkey's USOM/TR-CERT, and no public exploit identified at time of analysis. With an EPSS score of 0.04% (12th percentile), opportunistic mass exploitation appears unlikely, though targeted abuse within deployed environments remains realistic.

Technical ContextAI

PaperWork is a document/workflow management product distributed by GG Soft Software Services Inc., a Turkish vendor. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), commonly known as Insecure Direct Object Reference (IDOR). In this class of flaw, the application uses identifiers supplied by the client - such as record IDs in URL parameters, form fields, or API payloads - to look up server-side objects, but fails to verify that the authenticated session actually owns or is permitted to access the referenced object. The 'Exploitation of Trusted Identifiers' qualifier in the description suggests the application trusts ID values that pass session validation without performing per-object authorization checks, enabling horizontal (and potentially vertical) privilege escalation across tenants or users.

Affected ProductsAI

GG Soft Software Services Inc. PaperWork is affected from version 5.2.0.9427 up to (but not including) 6.0; upgrading to 6.0 or later is required. No CPE strings were provided in the supplied intelligence to enumerate exact build identifiers. Vendor and national-CERT advisories are published at https://www.usom.gov.tr/bildirim/tr-25-0464 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0464.

RemediationAI

Upgrade PaperWork to version 6.0 or later, which is the first release outside the affected range per the vendor coordination through USOM (TR-25-0464); patch details and vendor guidance are available at https://www.usom.gov.tr/bildirim/tr-25-0464 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0464. If immediate upgrade is not possible, compensating controls include placing the PaperWork web interface behind an authenticated reverse proxy that enforces per-user URL/path restrictions, enabling verbose application access logging to detect anomalous ID enumeration patterns (sequential or out-of-range object IDs in requests), and restricting account provisioning to trusted internal users - accepting the side effect that legitimate cross-team document sharing workflows may require manual coordination until the patched build is deployed. Review historical access logs for unusual ID iteration that may indicate prior unauthorized access.

Share

CVE-2025-14101 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy