Joby Y Daniel

**Name of the Vulnerable Software and Affected Versions** Acora CMS version 10.1.1 **Description** The issue allows attackers to trick authenticated users into performing unauthorized actions by embedding malicious requests in external content. This is due to the lack of Cross-Site Request Forgery (CSRF) protections, which enables exploitation via crafted requests. Attackers can perform actions such as account deletion or user creation. **Recommendations** For Acora CMS version 10.1.1, consider implementing CSRF protections to prevent exploitation. As a temporary workaround, restrict access to sensitive actions, such as account deletion or user creation, to minimize the risk of unauthorized modifications.

**Name of the Vulnerable Software and Affected Versions** DDSN Interactive cm3 Acora CMS version 10.1.1 **Description** The issue concerns an improper access control vulnerability. An editor-privileged user can access sensitive information, such as system administrator credentials, by force browsing the endpoint and exploiting the `file` parameter. By referencing specific files (e.g., cm3.xml), attackers can bypass access controls, leading to account takeover and potential privilege escalation. **Recommendations** For version 10.1.1, consider disabling the ability to force browse the endpoint and restrict the use of the `file` parameter to prevent exploitation until a patch is available. Restrict access to sensitive files, such as cm3.xml, to minimize the risk of account takeover and privilege escalation.

**Name of the Vulnerable Software and Affected Versions** DDSN Interactive cm3 Acora CMS version 10.1.1 **Description** The issue is caused by insufficient input sanitization and validation in the `table` parameter, leading to an unauthenticated time-based blind SQL Injection. This allows attackers to inject malicious SQL queries, enabling unauthorized access, manipulation of data, or exposure of sensitive information. The flaw poses significant risks to the integrity and confidentiality of the application. **Recommendations** For DDSN Interactive cm3 Acora CMS version 10.1.1, consider disabling the `table` parameter until a patch is available to prevent exploitation. Restrict access to sensitive data and ensure proper input validation and sanitization to minimize the risk of unauthorized access or data manipulation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.