CVE-2025-25968

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-25968
DDSN Interactive cm3 Acora CMS version 10.1.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive information, such as system administrator credentials, by force browsing the endpoint and exploiting the 'file' parameter. By referencing specific files (e.g., cm3.xml), attackers can bypass access controls, leading to account takeover and potential privilege escalation.

6.0 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
http://ddsn.com Product
https://github.com/padayali-JD/CVE-2025-25968 Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:ddsn:cm3_acora_content_management_system:10.1.1:*:*:*:*:*:*:*
History

30 Sep 2025, 20:05

Type Values Removed Values Added
References () http://ddsn.com - () http://ddsn.com - Product
References () https://github.com/padayali-JD/CVE-2025-25968 - () https://github.com/padayali-JD/CVE-2025-25968 - Third Party Advisory
First Time Ddsn cm3 Acora Content Management System
Ddsn
Summary
  • (es) La versión 10.1.1 de cm3 Acora CMS de DDSN Interactive contiene una vulnerabilidad de control de acceso indebido. Un usuario con privilegios de editor puede acceder a información confidencial, como las credenciales del administrador del sistema, al forzar la navegación en el endpoint y explotar el parámetro 'file'. Al hacer referencia a archivos específicos (por ejemplo, cm3.xml), los atacantes pueden eludir los controles de acceso, lo que lleva a la apropiación de cuentas y a una posible escalada de privilegios.
CPE cpe:2.3:a:ddsn:cm3_acora_content_management_system:10.1.1:*:*:*:*:*:*:*

20 Feb 2025, 20:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.0
CWE CWE-284

20 Feb 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-02-20 18:15

Updated : 2025-09-30 20:05

NVD link : CVE-2025-25968

Mitre link : CVE-2025-25968

CVE.ORG link : CVE-2025-25968

JSON object : View

Products Affected

ddsn

  • cm3_acora_content_management_system
CWE
CWE-284

Improper Access Control