CRITICAL🇵🇱 Wersja polska

CVE-2025-26853

CVSS 10.0v3.1pub. 2025-03-20upd. 2025-04-23

DESCOR INFOCAD 3.5.1 and before and fixed in v.3.5.2.0 has a broken authorization schema.

🤖 AI Analysis
How it works

The vulnerability stems from errors in the authorization schema (CWE-863: improper verification of permissions, CWE-862: missing verification of permissions). The system does not properly verify whether the requesting user has the appropriate permissions, allowing access control mechanisms to be bypassed. An attacker can send requests to protected resources without needing a valid session or credentials. The attack vector is network-based, requires no user interaction, and does not require any privileges on the attacker's side.

Impact

An attacker can gain full control over the system — including confidentiality, integrity, and availability of data — without authentication and from any network location. The maximum CVSS score of 10.0 indicates the possibility of complete system takeover and impact extending beyond the component itself (Scope: Changed).

Mitigation & patch

Descor Infocad software must be urgently updated to version 3.5.2.0 or later, in which the error has been fixed. Details are available in the manufacturer's documentation at: https://www.infocadfm.com/changelog/broken-authorization-schema/

Who is affected

Descor Infocad in version 3.5.1 and all earlier versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Descor Infocad

    APP
    Descor
    < 3.5.2.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-26852CRITICAL10.0PL ✓ten sam produkt

SQL Injection w Descor Infocad — nieautoryzowany pełny dostęp do systemu

CVE-2018-13789HIGH7.5ten sam vendor

An issue was discovered in Descor Infocad FM before 3.1.0.0. An unauthenticated web service allows the retriev...