### [CVE-2025-32367](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32367)
![](https://img.shields.io/static/v1?label=Product&message=face%20recognition%20application&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-425%20Direct%20Request%20('Forced%20Browsing')&color=brightgreen)

### Description

The Oz Forensics face recognition application before 4.0.8 late 2023 allows PII retrieval via /statistic/list Insecure Direct Object Reference. NOTE: the number 4.0.8 was used for both the unpatched and patched versions.

### POC

#### Reference
- https://medium.com/@antonsimonyan7/idor-in-oz-forensics-face-recognition-application-cve-2025-32367-53684ee312ea

#### Github
- https://github.com/Brakerciti/OZForensics_exploit
- https://github.com/plzheheplztrying/cve_monitor
- https://github.com/rix4uni/medium-writeups