CVE-2025-40673

Vulnerability

Overview

A missing authorization vulnerability (CWE-862) has been identified in DinoRANK, a SEO tool. The bug lies in the endpoint /facturas/YYYY-MM/SDRYYMM-XXXXX.pdf, which lacks any access control checks. This allows an attacker to retrieve invoice PDFs belonging to any user of the platform without authentication or privileged access [1].

Exploitation & Attack Surface

The attack is straightforward: the attacker simply visits the predictable URL pattern for an invoice. The filename structure (e.g., SDRYYMM-XXXXX.pdf) is partially guessable, and the full path can be obtained through OSINT, insecure network traffic sniffing, or brute-force enumeration [1]. No special privileges are required, and the attack can be executed remotely over the network (CVSS AV:N/AC:L/PR:L/UI:N). The CVSS v4.0 base score is 5.3 (Medium) with a vector of AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N [1].

Impact

An attacker who successfully guesses or discovers a valid invoice URL gains access to sensitive financial data of other users, including invoice details. This constitutes a confidentiality breach, as the vulnerability exposes user invoices to unauthorized parties. The impact does not extend to integrity or availability [1].

Mitigation

The vulnerability has been fixed by the DinoRANK team in the latest version. Users should update their DinoRANK installations to the most recent release to protect against this issue [1].