Description
Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulnerability to access information about any employee (first names, last names, roles, job titles, and vacation records, among others) by modifying that identifier in requests sent to the server.
Published: 2026-05-14
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authentication bypass flaw allows an attacker to modify the employeeID parameter in the /app/FrontController endpoint and obtain private employee details such as names, roles, job titles and vacation records. The weakness is a classic IDOR flaw described by CWE‑639 and results in the disclosure of confidential personnel information. The vulnerability can be exploited by an attacker who is already authenticated to the system, but it does not require privileged credentials or additional system exploits.

Affected Systems

The flaw exists in Stel Order version 3.25.1 and all earlier releases. The affected product is the Stel Order application, specifically its web front controller handling employee identifiers.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high risk. The EPSS score is not available, so the likelihood of exploitation cannot be quantified, but the absence of a KEV listing suggests no known widespread exploitation. Because the endpoint is exposed to authenticated users and accepts arbitrary employeeID values without validation, the attack is straightforward for anyone who can log in. The impact is limited to data confidentiality with no immediate persistence or denial of service effects.

Generated by OpenCVE AI on May 14, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Stel Order to a version newer than 3.25.1 to remove the IDOR flaw.
  • If an upgrade cannot occur immediately, restrict access to the /app/FrontController endpoint or enforce strict role‑based controls so that only authorized personnel can query employee data.
  • Add server‑side validation that the employeeID supplied in any request matches either the authenticated user’s ID or an ID explicitly allowed for that user.

Generated by OpenCVE AI on May 14, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulnerability to access information about any employee (first names, last names, roles, job titles, and vacation records, among others) by modifying that identifier in requests sent to the server.
Title Unsafe Object Reference (IDOR) vulnerability in Stel Order
First Time appeared Stel Order
Stel Order stel Order
Weaknesses CWE-639
CPEs cpe:2.3:a:stel_order:stel_order:*:*:*:*:*:*:*:*
Vendors & Products Stel Order
Stel Order stel Order
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Stel Order Stel Order
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-05-14T13:48:15.193Z

Reserved: 2026-04-08T14:09:26.134Z

Link: CVE-2026-5798

cve-icon Vulnrichment

Updated: 2026-05-14T13:48:11.888Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T13:16:21.300

Modified: 2026-05-14T16:46:53.510

Link: CVE-2026-5798

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:45:22Z

Weaknesses