CVE-2026-29597
Received Received - Intake
Incorrect Access Control in Acora CMS File_Details.asp Endpoint

Publication date: 2026-03-30

Last updated on: 2026-04-03

Assigner: MITRE

Description
DDSN Interactive cm3 Acora CMS version 10.7.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive configuration files by force browsing the “/Admin/file_manager/file_details.asp” endpoint and manipulating the “file” parameter. By referencing specific files (e.g., cm3.xml), the attacker can retrieve system administrator credentials, SMTP settings, database credentials, and other confidential information. The exposure of this information can lead to full administrative access to the CMS, unauthorized access to email services, compromise of backend databases, lateral movement within the network, and long-term persistence by an attacker. This access control bypass poses a critical risk of account takeover, privilege escalation, and systemic compromise of the affected application and its associated infrastructure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-03
Generated
2026-05-07
AI Q&A
2026-03-31
EPSS Evaluated
2026-05-05
NVD
CVE-2026-29597
EUVD
EUVD-2026-17094
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ddsn_interactive acora_cms 10.7.1
cm3 acora_cms 10.7.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows attackers with editor privileges to access sensitive files due to incorrect access control. This unauthorized access to sensitive information could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive data.

Specifically, the exposure of sensitive files may result in breaches of confidentiality and data privacy obligations mandated by these standards, potentially leading to legal and regulatory consequences for affected organizations.


Can you explain this vulnerability to me?

This vulnerability is an incorrect access control issue in the file_details.asp endpoint of DDSN Interactive Acora CMS version 10.7.1. It allows attackers who have editor privileges to access sensitive files by sending specially crafted requests.


How can this vulnerability impact me? :

An attacker with editor privileges can exploit this vulnerability to access sensitive files that should normally be restricted. This unauthorized access could lead to exposure of confidential information, potentially compromising the security and privacy of the system and its users.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart