Stel Order IDOR Vulnerability Allowing Unauthorized Access to Employee Information

Vulnerability

An insecure direct object reference (IDOR) vulnerability has been identified in Stel Order versions through 3.25.1. This issue resides in the '/app/FrontController' endpoint, where the 'employeeID' parameter can be manipulated. An authenticated attacker could exploit this vulnerability to retrieve personal information about employees, including first names, last names, roles, job titles, and vacation records, by altering the employeeID in requests sent to the server.

Impact

Exploitation of this vulnerability allows authenticated attackers to access sensitive information about employees, potentially leading to unauthorized data disclosure.

Added: May 14, 2026, 1:19 PM

Updated: May 14, 2026, 1:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

8.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

8.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Stel Order IDOR Vulnerability Allowing Unauthorized Access to Employee Information

Vulnerability

Impact

Affected Products

Stel Order

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating