QRMenu CVE-2025-9902
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in AKIN Software Computer Import Export Industry and Trade Co. Ltd. QRMenu allows Privilege Abuse.
This issue affects QRMenu: from 1.05.12 before Version dated 05.09.2025.
AnalysisAI
Information disclosure in AKIN Software's QRMenu (versions 1.05.12 up to the build dated 05.09.2025) allows unauthenticated remote attackers to access other users' or tenants' data by manipulating user-controlled identifiers in requests (IDOR). Reported by Turkey's national CSIRT (USOM); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
QRMenu is a SaaS/web-based QR-code restaurant menu platform by AKIN Software Computer Import Export Industry and Trade Co. Ltd., a Turkish vendor. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), commonly known as Insecure Direct Object Reference: the application uses a client-supplied identifier (e.g., a numeric record ID, menu ID, or tenant ID in a URL or request parameter) to fetch resources without verifying that the requesting session is authorized to read that specific object. Because authorization is enforced only at the authentication boundary rather than per-object, any caller - including unauthenticated ones, given the CVSS PR:N rating - can enumerate IDs to retrieve data belonging to other accounts. No CPE strings were published in the available references, so the exact affected components (API endpoints, admin panel vs. customer-facing menu) are not enumerated by NVD.
Affected ProductsAI
AKIN Software Computer Import Export Industry and Trade Co. Ltd. QRMenu is affected from version 1.05.12 up to (but not including) the build dated 05.09.2025 (5 September 2025). No CPE 2.3 string was published in the references, and no specific deployment mode (self-hosted vs. SaaS) is identified. The Turkish national advisories at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0333 and https://www.usom.gov.tr/bildirim/tr-25-0333 are the authoritative sources; no direct vendor advisory URL was supplied.
RemediationAI
Upgrade QRMenu to the build dated 05.09.2025 or later, which is identified as the fixed version per the USOM advisory TR-25-0333 (https://www.usom.gov.tr/bildirim/tr-25-0333 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0333). If immediate upgrade is not possible, restrict access to the QRMenu administrative interface and authenticated API endpoints to known client IP ranges via WAF or reverse-proxy ACL - accepting that this breaks remote staff access - and add a WAF rule that requires a valid session cookie/JWT for any request containing object-identifier query parameters or path segments, accepting potential false positives on public menu-viewing routes. Enable verbose access logging and alert on rapid sequential ID enumeration from a single source. Contact AKIN Software directly to confirm the patched build, since the published references are Turkish-CERT advisories rather than a vendor changelog.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today