CVE-2025-41030 is a medium severity vulnerability identified in the Deporsite product by T-INNOVA, affecting versions prior to v02.14.1115. The vulnerability is classified under CWE-863, which pertains to incorrect authorization. Specifically, the issue arises due to a lack of proper authorization controls on the endpoint '/ajax/TInnova_v2/Integrantes_Recurso_v2_1/llamadaAjax/buscarPersona'. This endpoint accepts a 'dni' parameter, which is presumably a unique identifier such as a national ID number. Because the endpoint does not enforce authorization, an unauthenticated attacker can query this endpoint with arbitrary 'dni' values and retrieve information about other users. The vulnerability is remotely exploitable without any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:N/UI:N). The impact primarily concerns confidentiality, as unauthorized disclosure of personal or sensitive user information is possible. The CVSS score of 6.9 reflects a medium severity rating, acknowledging the ease of exploitation but limited scope to confidentiality impact only. No known exploits are currently reported in the wild, and no patches are linked yet, indicating that organizations using affected versions remain vulnerable until an update is applied. The vulnerability was reserved in April 2025 and published in September 2025, suggesting it is a recent discovery. The lack of authentication and authorization checks on a sensitive data retrieval endpoint represents a significant security oversight in Deporsite's design, potentially exposing personal data to attackers who can automate queries to harvest user information.

For European organizations using Deporsite, this vulnerability poses a significant risk to user privacy and data protection compliance, particularly under GDPR regulations which mandate strict controls on personal data access and processing. Unauthorized access to personal identifiers like 'dni' could lead to data breaches involving sensitive personal information, potentially resulting in regulatory fines, reputational damage, and loss of customer trust. Organizations in sectors such as sports clubs, membership organizations, or any entities relying on Deporsite for managing member data are at risk of having confidential user information exposed. The ease of exploitation without authentication increases the likelihood of automated attacks and large-scale data harvesting. This could also facilitate further attacks such as identity theft, social engineering, or targeted phishing campaigns against affected users. The medium severity rating indicates that while the vulnerability does not allow system takeover or direct integrity/availability compromise, the confidentiality breach alone is impactful enough to warrant urgent remediation in the European context where data privacy is highly regulated.

European organizations should immediately assess their use of Deporsite and identify if they are running affected versions prior to v02.14.1115. Until an official patch is released, organizations should implement compensating controls such as restricting access to the vulnerable endpoint via network-level controls (e.g., firewall rules, IP whitelisting) to trusted internal networks only. Web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting the '/ajax/TInnova_v2/Integrantes_Recurso_v2_1/llamadaAjax/buscarPersona' endpoint, especially those with unusual or automated 'dni' parameter values. Monitoring and logging access to this endpoint should be enhanced to detect potential exploitation attempts. Additionally, organizations should review and enforce strict authorization checks on all sensitive API endpoints to ensure that only authenticated and authorized users can access personal data. User education on phishing risks and incident response plans should be updated to address potential fallout from data leakage. Finally, organizations should engage with T-INNOVA for timely updates and apply patches as soon as they become available.