CVE-2025-0615

Root

Cause CVE-2025-0615 is an input validation vulnerability in Qualifio's Wheel of Fortune. The application fails to properly validate email addresses, allowing the inclusion of the + character. This subaddress or plus addressing technique is typically used for email aliasing, but here it enables unauthorized behavior. [1]

Exploitation

An attacker can register or participate in prize draws using an email address containing the + symbol (e.g., user+extra@example.com). Because the application does not treat such addresses as equivalent to the base address, the attacker can reuse the same underlying email account with slight modifications to bypass any per-email limitations. The attack requires no authentication and can be performed remotely over the network. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) indicates low attack complexity and no user interaction. [1]

Impact

By exploiting this flaw, an attacker can abuse the prize wheel mechanism to win prizes multiple times, unfairly increasing their chances beyond the intended limit. This impacts the integrity of the application's prize distribution logic, though no confidentiality or availability impact is described. [1]

Mitigation

Qualifio has resolved the vulnerability, as noted by INCIBE in their coordinated disclosure. Although Qualifio reportedly does not classify the issue as a vulnerability, the fix has been applied. Administrators should ensure they are running the latest version of the Wheel of Fortune module. [1]