Description
Incorrect access control in the file_details.asp endpoint of DDSN Interactive Acora CMS v10.7.1 allows attackers with editor privileges to access sensitive files via crafted requests.
Published: 2026-03-30
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: Sensitive file exposure
Action: Apply Patch
AI Analysis

Impact

This vulnerability arises from incorrect access control on the file_details.asp endpoint of Acora CMS. An attacker who has been granted editor privileges can construct special requests that cause the server to return any file located on its filesystem. The result is that confidential or sensitive content can be read by the attacker, representing an information‑disclosure issue classified as CWE-284.

Affected Systems

The affected product is DDSN Interactive Acora CMS version 10.7.1. No other vendor or product variants are listed in the CVE record.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity level, while the EPSS score is not available and the vulnerability is not cataloged on CISA’s KEV list. Attackers only need to possess editor access, a role that is often delegated to non‑administrative users. The exploit requires only a crafted HTTP request and can be performed remotely. The lack of a higher level of authentication or additional verification makes exploitation straightforward once editor access is achieved.

Generated by OpenCVE AI on March 30, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Acora CMS to the most recent patch that restricts file access via file_details.asp.
  • If a patch is unavailable, remove or downgrade the editor role or block editor users from accessing the file_details.asp endpoint.
  • Configure a web‑application firewall to deny requests that contain suspicious or non‑standard file path parameters.
  • Regularly monitor web server logs for unexpected requests to file_details.asp and investigate any anomalies.

Generated by OpenCVE AI on March 30, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Acora CMS v10.7.1 Improper Access Control Exposes Sensitive Files

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Incorrect access control in the file_details.asp endpoint of DDSN Interactive Acora CMS v10.7.1 allows attackers with editor privileges to access sensitive files via crafted requests.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-30T18:21:08.671Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29597

cve-icon Vulnrichment

Updated: 2026-03-30T18:18:22.323Z

cve-icon NVD

Status : Received

Published: 2026-03-30T16:16:04.310

Modified: 2026-03-30T19:16:23.990

Link: CVE-2026-29597

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:56:27Z

Weaknesses