CVE-2025-22964

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-22964
DDSN Interactive cm3 Acora CMS version 10.1.1 has an unauthenticated time-based blind SQL Injection vulnerability caused by insufficient input sanitization and validation in the "table" parameter. This flaw allows attackers to inject malicious SQL queries by directly incorporating user-supplied input into database queries without proper escaping or validation. Exploiting this issue enables unauthorized access, manipulation of data, or exposure of sensitive information, posing significant risks to the integrity and confidentiality of the application.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/padayali-JD/CVE-2025-22964 Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:ddsn:cm3_acora_content_management_system:10.1.1:*:*:*:*:*:*:*
History

03 Oct 2025, 12:53

Type Values Removed Values Added
References () https://github.com/padayali-JD/CVE-2025-22964 - () https://github.com/padayali-JD/CVE-2025-22964 - Third Party Advisory
CPE cpe:2.3:a:ddsn:cm3_acora_content_management_system:10.1.1:*:*:*:*:*:*:*
First Time Ddsn
Ddsn cm3 Acora Content Management System

03 Feb 2025, 19:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.1
CWE CWE-89

23 Jan 2025, 21:15

Type Values Removed Values Added
Summary
  • (es) Vulnerabilidad de inyección SQL en DDSN Net Pty Ltd (DDSN Interactive) DDSN Interactive cm3 Acora CMS 10.1.1 permite a un atacante ejecutar código arbitrario a través del parámetro table.
Summary (en) SQL Injection vulnerability in DDSN Net Pty Ltd (DDSN Interactive) DDSN Interactive cm3 Acora CMS 10.1.1 allows an attacker to execute arbitrary code via the table parameter. (en) DDSN Interactive cm3 Acora CMS version 10.1.1 has an unauthenticated time-based blind SQL Injection vulnerability caused by insufficient input sanitization and validation in the "table" parameter. This flaw allows attackers to inject malicious SQL queries by directly incorporating user-supplied input into database queries without proper escaping or validation. Exploiting this issue enables unauthorized access, manipulation of data, or exposure of sensitive information, posing significant risks to the integrity and confidentiality of the application.

15 Jan 2025, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-01-15 23:15

Updated : 2025-10-03 12:53

NVD link : CVE-2025-22964

Mitre link : CVE-2025-22964

CVE.ORG link : CVE-2025-22964

JSON object : View

Products Affected

ddsn

  • cm3_acora_content_management_system
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')