CVE-2025-3575 Overview
CVE-2025-3575 is an Insecure Direct Object Reference (IDOR) vulnerability in Deporsite from T-INNOVA. The flaw resides in the /helper/Familia/establecerUsuarioSeleccion endpoint, which accepts an idUsuario parameter without verifying the caller's authorization. An unauthenticated network attacker can manipulate this parameter to retrieve sensitive information belonging to other users. The vulnerability is tracked under CWE-639: Authorization Bypass Through User-Controlled Key.
Critical Impact
Remote, unauthenticated attackers can enumerate and exfiltrate other users' sensitive data by altering a single request parameter, leading to a high-confidentiality breach.
Affected Products
- Deporsite by T-INNOVA (sports facility management platform)
- Deployments exposing the /helper/Familia/establecerUsuarioSeleccion endpoint
- Refer to the INCIBE Security Notice for vendor-confirmed versions
Discovery Timeline
- 2025-04-15 - CVE-2025-3575 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-3575
Vulnerability Analysis
The vulnerability is an Insecure Direct Object Reference in the Deporsite web application. The endpoint /helper/Familia/establecerUsuarioSeleccion accepts the idUsuario parameter to identify a target user record. The server resolves the supplied identifier directly against backend data stores without confirming that the authenticated session, or any session at all, is authorized to view that record. By substituting another user's identifier, an attacker reads data that should be access-restricted.
The weakness is classified as CWE-639, where authorization checks rely on a user-controlled key. Because the attack vector is network-based and requires no privileges or user interaction, exploitation is straightforward using standard HTTP tooling. The EPSS data places the probability of exploitation at approximately 0.32 percent.
Root Cause
The root cause is a missing object-level authorization check. The application trusts the value of idUsuario supplied in the request to designate which user's family or profile data to return. No server-side validation ties that identifier to the requestor's session context, role, or ownership of the record.
Attack Vector
An attacker sends an HTTP request to /helper/Familia/establecerUsuarioSeleccion while iterating values of the idUsuario parameter. Each modified request returns information associated with the referenced user account. The attacker can script enumeration across sequential or guessed identifiers to harvest data at scale. No authentication, privileges, or user interaction are required to execute the attack.
No verified public proof-of-concept code is available. See the INCIBE Security Notice for advisory details.
Detection Methods for CVE-2025-3575
Indicators of Compromise
- Repeated HTTP requests to /helper/Familia/establecerUsuarioSeleccion with sequentially incrementing or randomized idUsuario values from a single source.
- High-volume responses returning user-profile data to unauthenticated or low-privileged sessions.
- Unusual response size variance for the same endpoint, indicating different user records being served.
Detection Strategies
- Inspect web server and application logs for enumeration patterns against the idUsuario parameter.
- Deploy WAF rules that flag rapid changes in the idUsuario value within a short time window from one client.
- Correlate access logs with session ownership to detect requests where the queried idUsuario does not match the authenticated principal.
Monitoring Recommendations
- Forward Deporsite application logs to a centralized log analytics platform for retention and behavioral baselining.
- Alert on access to /helper/Familia/ paths originating from anonymous sessions or unexpected IP ranges.
- Track outbound response volume from the affected endpoint to identify data exfiltration spikes.
How to Mitigate CVE-2025-3575
Immediate Actions Required
- Contact T-INNOVA to confirm patched versions of Deporsite and apply vendor-supplied updates.
- Restrict access to the /helper/Familia/establecerUsuarioSeleccion endpoint to authenticated sessions only at the reverse proxy or WAF layer.
- Review web server logs for prior enumeration activity against idUsuario and notify affected users if exposure is confirmed.
Patch Information
Consult the INCIBE Security Notice for vendor coordination details. At the time of NVD publication, no fixed version is listed in the public advisory. Engage T-INNOVA directly to obtain remediation guidance for affected deployments.
Workarounds
- Add a server-side or proxy-side check that compares the session-bound user identifier with the requested idUsuario and rejects mismatches.
- Implement rate limiting on the affected endpoint to slow automated enumeration.
- Replace predictable numeric identifiers with non-sequential opaque references such as UUIDs where the application permits.
# Example nginx rule to block unauthenticated access to the vulnerable endpoint
location /helper/Familia/establecerUsuarioSeleccion {
if ($cookie_sessionid = "") {
return 403;
}
limit_req zone=idor_protect burst=5 nodelay;
proxy_pass http://deporsite_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
