Impact
Hermes WebUI versions prior to 0.51.368 allow an authenticated attacker to forge the hermes_profile cookie, causing the get_profile_cookie() function to accept any profile name without proper authentication. This forgery bypasses profile‑scoped authorization checks, enabling the attacker to access sessions, files, and resources belonging to other profiles, effectively granting unauthorized cross‑profile data exposure. The vulnerability stems from improper validation of cookie‑based profile identifiers and is classified as a “Profile‑Scoped Authorization Bypass.”
Affected Systems
The affected product is Hermes WebUI from the vendor nesquena, specifically all releases before 0.51.368. No other vendor or version is explicitly cited as impacted.
Risk and Exploitability
With a CVSS score of 8.6, the vulnerability is high severity, yet its EPSS score of less than 1% indicates a low exploitation likelihood at present. The exploit would involve constructing a forged hermes_profile cookie and sending it to the web application; because the bypass requires an authenticated session, the attacker must first gain or masquerade as a legitimate user. The vulnerability is not listed in CISA’s KEV catalog, so no widespread known exploitation activity is reported.
OpenCVE Enrichment