A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack.
The system generates a static password reset token that is not unique or single-use — it remains valid after first use. An attacker who intercepts such a token (e.g., from browser history, server logs, email messages, or another communication channel) can perform a replay attack by resending the password reset request with the same token. No authentication or victim interaction is required, and the vulnerability is remotely accessible over the network without additional prerequisites (CVSS AV:N/AC:L/PR:N/UI:N).
An attacker can arbitrarily reset the password of any user in the CMS system and take full control of their account, which may lead to unauthorized access to managed content, user data, and further compromise of the system.
Apply patches available from the vendor according to the references (http://acora.com, http://ddsn.com). Until an update is applied, it is recommended to enforce single-use tokens and time limitations for password reset tokens, and to monitor logs for repeated use of the same tokens.
DDSN Interactive Acora CMS version 10.7.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:LDdsn Cm3 Acora Cms
APPDdsn10.7.1
Related vulnerabilities
Acora CMS version 10.1.1 is vulnerable to Cross-Site Request Forgery (CSRF). This flaw enables attackers to tr...
DDSN Interactive cm3 Acora CMS version 10.1.1 has an unauthenticated time-based blind SQL Injection vulnerabil...
SQL injection vulnerability in index.asp in the Admin Panel in Dragon Design Services Network (DDSN) cm3 conte...
DDSN Interactive cm3 Acora CMS version 10.1.1 contains an improper access control vulnerability. An editor-pri...
DDSN Interactive cm3 Acora CMS 6.0.6/1a, 6.0.2/1a, 5.5.7/12b, 5.5.0/1b-p1, and possibly other versions, allows...