Impact
Sismics Docs (Teedy) v1.11 contains an incorrect access control condition that allows an attacker who crafts a request to share‑based read endpoints to retrieve data that should be restricted. This flaw can result in unauthorized disclosure of confidential documents or system information, compromising the confidentiality of the data stored in the application. The weakness is an improper access control vulnerability (CWE‑284).
Affected Systems
The affected product is Sismics Docs, commonly known as Teedy, version 1.11. No additional vendor or product variants are listed in the public metadata. Administrators who run this version should verify that they are not using legacy share‑based APIs without proper authentication layers.
Risk and Exploitability
The flaw carries a CVSS score of 7.5, indicating a high impact if exploited. However, the EPSS score is below 1 %, suggesting that attacks exploiting this issue are currently rare. The vulnerability is not included in the CISA KEV catalog, implying no confirmed exploits have been reported. An attacker would need the ability to target a Teedy instance, craft a request to a share‑based read endpoint, and the endpoint would return data without verifying the requester's authenticity. No privileged credentials or elevated permissions are required, making the condition straightforward to meet for an outsider.
OpenCVE Enrichment