Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulnerability to access information about any employee (first names, last names, roles, job titles, and vacation records, among others) by modifying that identifier in requests sent to the server.
AnalysisAI
Insecure Direct Object Reference (IDOR) in Stel Order v3.25.1 and earlier allows authenticated attackers with low privileges to access confidential employee information across the organization by manipulating the 'employeeID' parameter in requests to the '/app/FrontController' endpoint. Attackers can enumerate and retrieve personal data including names, roles, job titles, and vacation records for any employee regardless of authorization level. EPSS data not available; no confirmed active exploitation (not in CISA KEV). CVSS 7.1 reflects high confidentiality impact but requires authentication, limiting immediate exposure to insider threats or compromised accounts.
Technical ContextAI
This vulnerability stems from inadequate access control implementation in the Stel Order web application framework. The /app/FrontController endpoint fails to validate whether the authenticated user has authorization to access employee records corresponding to the requested employeeID parameter. This is a classic manifestation of CWE-639 (Authorization Bypass Through User-Controlled Key), where user-supplied input directly controls object access without proper permission checks. The application likely uses the employeeID as a direct database key without implementing attribute-based or role-based access controls to verify the requesting user's rights to view that specific employee's data. The affected product is identified as Stel Order (CPE: cpe:2.3:a:stel_order:stel_order), a Spanish ordering/workforce management system, with all versions through 3.25.1 vulnerable.
RemediationAI
Apply vendor-released security patches when available by consulting the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-stel-order for specific fix versions and update instructions. The advisory title indicates 'multiple vulnerabilities' suggesting a comprehensive security update may address this and related issues. Until patches are deployed, implement these compensating controls: (1) Restrict access to the /app/FrontController endpoint using web application firewall rules to only authorized IP ranges or networks, understanding this reduces remote access functionality. (2) Implement additional session-based access control middleware that validates employeeID parameters against the authenticated user's authorized scope before processing requests - this requires custom development but provides defense-in-depth. (3) Enable comprehensive logging of all requests to /app/FrontController with employeeID parameters to detect enumeration attempts (multiple sequential requests with incrementing IDs), though this is detective rather than preventive. (4) Apply principle of least privilege by auditing user accounts and removing unnecessary low-privilege access to the application. Monitor the INCIBE advisory for official patching guidance and consider engaging directly with Stel Order support for remediation timelines.
More in Stel Order
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30269
GHSA-q39g-q5qr-xx67