{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-3977","assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","state":"PUBLISHED","assignerShortName":"VulDB","dateReserved":"2025-04-26T07:41:22.014Z","datePublished":"2025-04-27T16:31:08.927Z","dateUpdated":"2025-04-28T13:48:20.226Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB","dateUpdated":"2025-04-27T16:31:08.927Z"},"title":"iteachyou Dreamer CMS Attachment download improper authorization","problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-285","lang":"en","description":"Improper Authorization"}]},{"descriptions":[{"type":"CWE","cweId":"CWE-266","lang":"en","description":"Incorrect Privilege Assignment"}]}],"affected":[{"vendor":"iteachyou","product":"Dreamer CMS","versions":[{"version":"4.1.0","status":"affected"},{"version":"4.1.1","status":"affected"},{"version":"4.1.2","status":"affected"},{"version":"4.1.3","status":"affected"}],"modules":["Attachment Handler"]}],"descriptions":[{"lang":"en","value":"A vulnerability was found in iteachyou Dreamer CMS up to 4.1.3. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/attachment/download of the component Attachment Handler. The manipulation of the argument ID leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."},{"lang":"de","value":"In iteachyou Dreamer CMS bis 4.1.3 wurde eine problematische Schwachstelle ausgemacht. Dabei geht es um eine nicht genauer bekannte Funktion der Datei /admin/attachment/download der Komponente Attachment Handler. Durch das Manipulieren des Arguments ID mit unbekannten Daten kann eine improper authorization-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung."}],"metrics":[{"cvssV4_0":{"version":"4.0","baseScore":5.3,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N","baseSeverity":"MEDIUM"}},{"cvssV3_1":{"version":"3.1","baseScore":4.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseSeverity":"MEDIUM"}},{"cvssV3_0":{"version":"3.0","baseScore":4.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseSeverity":"MEDIUM"}},{"cvssV2_0":{"version":"2.0","baseScore":4,"vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N"}}],"timeline":[{"time":"2025-04-26T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"time":"2025-04-26T02:00:00.000Z","lang":"en","value":"VulDB entry created"},{"time":"2025-04-26T09:46:53.000Z","lang":"en","value":"VulDB entry last update"}],"credits":[{"lang":"en","value":"aibot88 (VulDB User)","type":"reporter"}],"references":[{"url":"https://vuldb.com/?id.306313","name":"VDB-306313 | iteachyou Dreamer CMS Attachment download improper authorization","tags":["vdb-entry","technical-description"]},{"url":"https://vuldb.com/?ctiid.306313","name":"VDB-306313 | CTI Indicators (IOB, IOC, TTP, IOA)","tags":["signature","permissions-required"]},{"url":"https://vuldb.com/?submit.557639","name":"Submit #557639 | iteachyou dreamer_cms 4.1.3 broken function level authorization","tags":["third-party-advisory"]},{"url":"https://gitee.com/iteachyou/dreamer_cms/issues/IC13O1","tags":["exploit","issue-tracking"]}]},"adp":[{"references":[{"url":"https://gitee.com/iteachyou/dreamer_cms/issues/IC13O1","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-04-28T13:48:05.719503Z","id":"CVE-2025-3977","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-04-28T13:48:20.226Z"}}]}}