Primary

Context

Anapi Group h6web Insecure Direct Object Reference Vulnerability Allowing User Impersonation

Vulnerability

An insecure direct object reference (IDOR) vulnerability has been identified in Anapi Group's h6web application, which is used for managing guilds and online payments. This vulnerability allows an authenticated attacker to access information belonging to other users by sending a POST request and altering the 'pkrelated' parameter in the '/h6web/ha_datos_hermano.php' endpoint to target another user. Additionally, this exploitation could enable the attacker to impersonate other users, causing all subsequent requests to be executed with the privileges of the impersonated user.

Impact

Exploitation of this vulnerability could lead to unauthorized access to user information and the ability to impersonate other users within the application.

Remediation

The Anapi Group team has disabled the insecure direct object reference vulnerability in the latest version of the h6web application.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

4.8

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

4.8

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Anapi Group h6web Insecure Direct Object Reference Vulnerability Allowing User Impersonation

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating