CVE-2025-60088 is a Missing Authorization vulnerability identified in the WebinarIgnition product developed by Saleswonder Team: Tobias. This vulnerability arises from incorrectly configured access control security levels, which fail to properly restrict user permissions. Specifically, users with low privileges (requiring only partial authentication) can access sensitive information or functionalities that should be restricted, thereby violating confidentiality. The CVSS 3.1 score of 6.5 (medium severity) reflects the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). The vulnerability affects all versions of WebinarIgnition up to and including 4.06.04. Although no public exploits are currently known, the nature of the flaw makes it a candidate for exploitation in environments where the product is deployed. The vulnerability does not affect system integrity or availability, but unauthorized data disclosure could lead to information leakage, potentially exposing sensitive webinar content or user data. The absence of patches or mitigation links indicates that organizations must proactively audit and harden access controls until official fixes are released.

For European organizations, the primary impact is the potential unauthorized disclosure of sensitive information managed within WebinarIgnition, such as webinar content, participant data, or proprietary business information. This could lead to privacy violations, intellectual property exposure, or compliance issues under regulations like GDPR. Since the vulnerability requires low privileges but no user interaction, attackers who gain minimal access credentials could escalate their access improperly. This risk is particularly relevant for sectors relying heavily on webinars for communication, training, or marketing, including education, finance, and technology firms. The lack of integrity or availability impact reduces the risk of operational disruption but does not diminish the confidentiality risk. Organizations may face reputational damage and regulatory penalties if sensitive data is leaked due to this vulnerability.

European organizations should immediately conduct a thorough audit of access control configurations within WebinarIgnition to identify and remediate any improperly assigned permissions. Implement the principle of least privilege rigorously, ensuring users have only the minimum necessary access. Monitor logs and access patterns for unusual or unauthorized activity, especially from accounts with low privileges. Until an official patch is released, consider restricting network access to the WebinarIgnition management interfaces to trusted IP ranges or VPNs. Engage with the vendor for updates and apply patches promptly once available. Additionally, educate administrators and users about the risks of privilege misuse and enforce strong authentication mechanisms to reduce the risk of credential compromise. If feasible, temporarily disable or limit features that expose sensitive data until the vulnerability is resolved.