CVE-2025-25968
Last modified
CVE-2025-25968 is a medium-severity vulnerability rated 6/10 on the CVSS scale. DDSN Interactive cm3 Acora CMS version 10.1.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive information, such as system administrator credentials, by force browsing the endpoint and exploiting the 'file' parameter. EPSS estimates a 0.93% chance of exploitation in the next 30 days.
Description
DDSN Interactive cm3 Acora CMS version 10.1.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive information, such as system administrator credentials, by force browsing the endpoint and exploiting the 'file' parameter. By referencing specific files (e.g., cm3.xml), attackers can bypass access controls, leading to account takeover and potential privilege escalation.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Ddsn | Cm3 Acora Content Management System | 10.1.1 |
References
- http://ddsn.comProduct
- https://github.com/padayali-JD/CVE-2025-25968Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-25968?
How severe is CVE-2025-25968?
How do I fix CVE-2025-25968?
Are you affected by CVE-2025-25968?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST