关联漏洞
标题:
N/A
(CVE-2025-25968)
描述:DDSN Interactive cm3 Acora CMS版本10.1.1存在不正确的访问控制漏洞。具有编辑权限的用户可以通过强制浏览端点并利用“file”参数来访问敏感信息,如系统管理员凭据。通过引用特定文件(例如cm3.xml),攻击者可以绕过访问控制,导致账户接管和潜在的权限提升。
介绍
# CVE-2025-25968: Improper Access Control vulnerability in DDSN Interactive cm3 Acora CMS version 10.1.1
DDSN Interactive cm3 Acora CMS version 10.1.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive information, such as system administrator credentials, by force browsing the endpoint and exploiting the 'file' parameter. By referencing specific files (e.g., cm3.xml), attackers can bypass access controls, leading to account takeover and potential privilege escalation.
Affected version: Acora CMS v10.1.1 and possibly other versions
Discovered by Joby Y Daniel from Crowe India.
文件快照
[4.0K] /data/pocs/54aec66d5b5339d6313a3ca177267827f3cbc18f
└── [ 633] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。