{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-62516", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-10-15T15:03:28.134Z", "datePublished": "2025-10-27T19:46:32.122Z", "dateUpdated": "2025-10-27T19:58:22.992Z"}, "containers": {"cna": {"title": "Landlord Onboarding & Rental Signup Unauthorized Access Vulnerability in TurboTenant Stripe Integration", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/turbo-tenant-internal-property/www.turbotenant.com/security/advisories/GHSA-43cm-q3mv-2hvj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/turbo-tenant-internal-property/www.turbotenant.com/security/advisories/GHSA-43cm-q3mv-2hvj"}], "affected": [{"vendor": "turbo-tenant-internal-property", "product": "landlord-onboard-rental-signup", "versions": [{"version": "<= 2.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-10-27T19:46:32.122Z"}, "descriptions": [{"lang": "en", "value": "Landlord Onboarding & Rental Signup introduces the landlord onboarding workflow and rental signup system for VivaTurbo Rentals & Property Services. In 2.0.0 and earlier, a vulnerability was identified in the TurboTenant property listing activation workflow that could allow unauthorized access to certain Stripe payment session data. This could potentially expose sensitive business metadata, including landlord dashboard sync details and tenant information. The issue affects the API endpoints handling the property listing activation, subscription metadata, and payment link generation."}], "source": {"advisory": "GHSA-43cm-q3mv-2hvj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T19:58:08.543499Z", "id": "CVE-2025-62516", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T19:58:22.992Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-62516", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-27T19:58:08.543499Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T19:58:11.681Z"}}], "cna": {"title": "Landlord Onboarding & Rental Signup Unauthorized Access Vulnerability in TurboTenant Stripe Integration", "source": {"advisory": "GHSA-43cm-q3mv-2hvj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "turbo-tenant-internal-property", "product": "landlord-onboard-rental-signup", "versions": [{"status": "affected", "version": "<= 2.0.0"}]}], "references": [{"url": "https://github.com/turbo-tenant-internal-property/www.turbotenant.com/security/advisories/GHSA-43cm-q3mv-2hvj", "name": "https://github.com/turbo-tenant-internal-property/www.turbotenant.com/security/advisories/GHSA-43cm-q3mv-2hvj", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Landlord Onboarding & Rental Signup introduces the landlord onboarding workflow and rental signup system for VivaTurbo Rentals & Property Services. In 2.0.0 and earlier, a vulnerability was identified in the TurboTenant property listing activation workflow that could allow unauthorized access to certain Stripe payment session data. This could potentially expose sensitive business metadata, including landlord dashboard sync details and tenant information. The issue affects the API endpoints handling the property listing activation, subscription metadata, and payment link generation."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-10-27T19:46:32.122Z"}}}, "cveMetadata": {"cveId": "CVE-2025-62516", "state": "PUBLISHED", "dateUpdated": "2025-10-27T19:58:22.992Z", "dateReserved": "2025-10-15T15:03:28.134Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-10-27T19:46:32.122Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Landlord Onboarding & Rental Signup introduces the landlord onboarding workflow and rental signup system for VivaTurbo Rentals & Property Services. In 2.0.0 and earlier, a vulnerability was identified in the TurboTenant property listing activation workflow that could allow unauthorized access to certain Stripe payment session data. This could potentially expose sensitive business metadata, including landlord dashboard sync details and tenant information. The issue affects the API endpoints handling the property listing activation, subscription metadata, and payment link generation."}], "id": "CVE-2025-62516", "lastModified": "2025-10-27T20:15:54.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-10-27T20:15:54.740", "references": [{"source": "[email protected]", "url": "https://github.com/turbo-tenant-internal-property/www.turbotenant.com/security/advisories/GHSA-43cm-q3mv-2hvj"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "[email protected]", "type": "Primary"}]}

{}