CVE-2025-25968

Name of the Vulnerable Software and Affected Versions DDSN Interactive cm3 Acora CMS version 10.1.1

Description The issue concerns an improper access control vulnerability. An editor-privileged user can access sensitive information, such as system administrator credentials, by force browsing the endpoint and exploiting the file parameter. By referencing specific files (e.g., cm3.xml), attackers can bypass access controls, leading to account takeover and potential privilege escalation.

Recommendations For version 10.1.1, consider disabling the ability to force browse the endpoint and restrict the use of the file parameter to prevent exploitation until a patch is available. Restrict access to sensitive files, such as cm3.xml, to minimize the risk of account takeover and privilege escalation.