DESCOR INFOCAD 3.5.1 and before and fixed in v.3.5.2.0 has a broken authorization schema.
The vulnerability stems from errors in the authorization schema (CWE-863: improper verification of permissions, CWE-862: missing verification of permissions). The system does not properly verify whether the requesting user has the appropriate permissions, allowing access control mechanisms to be bypassed. An attacker can send requests to protected resources without needing a valid session or credentials. The attack vector is network-based, requires no user interaction, and does not require any privileges on the attacker's side.
An attacker can gain full control over the system — including confidentiality, integrity, and availability of data — without authentication and from any network location. The maximum CVSS score of 10.0 indicates the possibility of complete system takeover and impact extending beyond the component itself (Scope: Changed).
Descor Infocad software must be urgently updated to version 3.5.2.0 or later, in which the error has been fixed. Details are available in the manufacturer's documentation at: https://www.infocadfm.com/changelog/broken-authorization-schema/
Descor Infocad in version 3.5.1 and all earlier versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HDescor Infocad
APPDescor< 3.5.2.0