CVE-2025-22984
Published: 14 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-22984, published on 2025-01-14, is an access control vulnerability (CWE-922) in the /api/squareComment/DelectSquareById component of iceCMS version 2.2.0. It enables unauthenticated attackers to access sensitive information due to improper implementation of access controls. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low attack complexity over the network.
Unauthenticated attackers can exploit this issue remotely without privileges or user interaction by sending crafted requests to the affected endpoint. Exploitation results in unauthorized disclosure of sensitive information, with no impact on integrity or availability.
Details on the vulnerability, including potential mitigation steps, are documented in the referenced advisory at https://github.com/H3rmesk1t/vulnerability-paper/blob/main/iceCMS-2.2.0-Incorrect%20Access%20Control2.md. Security practitioners should review it for reproduction steps and remediation guidance, such as upgrading iceCMS or implementing access restrictions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an access control issue in a public-facing API endpoint (/api/squareComment/DelectSquareById) of iceCMS v2.2.0, allowing unauthenticated attackers to access sensitive information, which directly enables exploitation of public-facing applications.