QwikSec

Security Database

CVE

CWE

Training

CVE-2025-34293

Published: Oct 24, 2025

Modified: May 14, 2026

PUBLISHED

Description

GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference (IDOR) vulnerability via the API. Authenticated requests to the API's object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users, including the stored password and the account's security question and answer. The exposed recovery data and encrypted password may be used to reset or take over the target account.

Vendor	Product	Versions
Naviga Global / Miles 33	GN4 Publishing System	affected `0 - < 2.6`

Weaknesses (CWE)

References

https://www.miles33.com/news/news/5955/naviga--miles-33--acquisition.html

media-coverage

related

https://nne.navigacloud.com/GN4Help/gn4_introduction_to_gn4.htm

product

https://www.miles33.com/section/14/gn4

product

https://www.vulncheck.com/advisories/gn4-publishing-system-idor-information-disclosure

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.