Introduction
A vulnerability identified by Nils Putnins (researcher of NCSC) allows an attacker to access services without any authentication required.
- CVSS Score: 10 (Critical)
- CVE: CVE-2025-26853
- Vulnerability Type: Broken Access Control
- Product affected: Infocad Web Application
- Versions affected: Infocad Web Application <= v3.5.1.0
- Version fixed: Infocad Web Application v3.5.2.0
- Affected component: Web services
Vulnerability details
The authorization controls within the application is incorrectly implemented. Requests towards endpoints contain no provided cookies or other authentication mechanisms, allowing the actions to be undertaken by a regular application visitor.
Impact analysis
A remote user can access services without any authentication required, with the possibility to execute SQL queries, affecting confidentiality and executing actions by registered users, affecting integrity.
Mitigation and remediations
A fix was deployed as part of Infocad Web Application v3.5.2.0. The correct authentication rules have been reinstated.
Acknowledgments
Descor would like to acknowledge and thank Nils Putnins for uncovering and reporting the vulnerability.
Timeline of events
- 2024-09-06: Vulnerability reported by security researcher
- 2024-10-14: Vulnerability analysis and acknowledgement to security researcher
- 2024-10-30: A fix is published as part of Infocad Web Application v3.5.2.0
- 2025-01-16: CVE requested
- 2025-02-16: CVE issued and incident page published
Current status:
1. Try first to reproduce the issue.
2. Acknowledge to the reporter.
3. Get a fix/patch prepared.
4. Release new version.
5. Prepare a report about the issue.
6. Feature the problem in an incident page.
Last updated: 2025-03-28 00:30:00 CET