Description
DDSN Interactive cm3 Acora CMS version 10.1.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive information, such as system administrator credentials, by force browsing the endpoint and exploiting the 'file' parameter. By referencing specific files (e.g., cm3.xml), attackers can bypass access controls, leading to account takeover and potential privilege escalation.
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H
- Attack Vector
- network
- Complexity
- low
- Privileges
- high
- User Action
- none
- Scope
- unchanged
- Confidentiality
- low
- Integrity
- low
- Availability
- high
- Weaknesses
- CWE-284
Metadata
- Primary Vendor
- DDSN
- Published
- 2/20/2025
- Last Modified
- 9/30/2025
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
ddsn : cm3_acora_content_management_system
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.