AutoBizLine CVE-2025-61220
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network API with low complexity (PR:N/UI:N/AC:L); high confidentiality from data exposure, plus low integrity (I:L) because logging in as another user permits limited account impersonation.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
The incomplete verification mechanism in the AutoBizLine com.mysecondline.app 1.2.91 allows attackers to log in as other users and gain unauthorized access to their personal information.
AnalysisAI
Unauthorized account access in AutoBizLine (Android package com.mysecondline.app) version 1.2.91 lets remote attackers authenticate as other users due to an incomplete identity-verification mechanism, exposing victims' personal information. The flaw is tagged as both an authentication bypass and information disclosure, and the affected user endpoint (/secondline/user/get_user/) suggests server-side access control that fails to bind a session to the correct account. No public exploit is confirmed in the input, though a third-party technical write-up exists on GitHub, and the EPSS score is low (0.33%, 25th percentile).
Technical ContextAI
AutoBizLine ('Second Line') is a mobile business-communications app that provisions secondary phone numbers and stores user profile data server-side, retrieved via REST endpoints such as autobizline.com/secondline/user/get_user/. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), whose root cause here is an incomplete verification mechanism - the backend does not fully validate that the authenticated principal is authorized for the requested user context, allowing identity confusion or object-level access control failure (a pattern closely related to broken authentication and IDOR). Because the impact is delivered over the app's network API, the weakness lives in the server-side authorization logic rather than the client binary.
Affected ProductsAI
The affected product is AutoBizLine, distributed as the Android application com.mysecondline.app at version 1.2.91 (the only version cited). No CPE string is provided in the intelligence. The vulnerable functionality is reachable via the vendor API at https://autobizline.com/secondline/user/get_user/, and a third-party technical write-up is available at https://github.com/syz913/CVE-reports/blob/main/CVE-2025-61220.md. No official vendor security advisory URL is present in the reference set, so the fixed version is not identified.
RemediationAI
No vendor-released patch version is identified at time of analysis, so a specific upgrade target cannot be cited from the input; monitor the vendor (autobizline.com) and app-store listings for a release above 1.2.91 and apply it once published. As server-side compensating controls, the vendor should enforce object-level authorization on the /secondline/user/get_user/ endpoint so a session token can only retrieve its own bound user record, and invalidate any tokens issued through the flawed verification path - with the trade-off of forcing affected users to re-authenticate. For operators unable to patch, restricting or rate-limiting access to the user API and adding server-side logging/alerting on cross-account access patterns reduces exposure at the cost of some legitimate traffic friction; end users concerned about exposure should treat profile data in the app as potentially disclosed. Reference the technical write-up at https://github.com/syz913/CVE-reports/blob/main/CVE-2025-61220.md for detail while awaiting an official advisory.
Same weakness CWE-200 – Information Exposure
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today