External Control of Assumed-Immutable Web Parameter

CVE-2025-66385

High

9.4/10

Summary

UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id or organisation_id fields in the edit request.

Attack Complexity: LOW
Attack Vector: NETWORK
User Interaction: NONE
Privileges Required: HIGH

CWE-472 - External Control of Assumed-Immutable Web Parameter

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

References

Advisory Timeline

Published Nov 28, 2025

External Control of Assumed-Immutable Web Parameter

CVE-2025-66385

Summary

CWE-472 - External Control of Assumed-Immutable Web Parameter

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS