Login Sign Up

CVE-2025-3977

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

CVE-2025-3977 is an improper authorization vulnerability in iteachyou Dreamer CMS that allows attackers to bypass access controls on the attachment download functionality. Attackers can remotely exploit this to download files they shouldn't have access to. This affects all Dreamer CMS installations up to version 4.1.3.

💻 Affected Systems

Products:
  • iteachyou Dreamer CMS
Versions: up to and including 4.1.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the /admin/attachment/download endpoint with ID parameter manipulation

📦 What is this software?

Dreamer Cms by Iteachyou

View all CVEs affecting Dreamer Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could download sensitive files containing credentials, configuration data, or user information, potentially leading to full system compromise.

🟠

Likely Case

Unauthorized access to attachments and files that should be restricted to administrators only.

🟢

If Mitigated

With proper access controls and network segmentation, impact is limited to unauthorized file downloads within the CMS.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires some level of access but not full authentication; public disclosure available on Gitee

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to any future version beyond 4.1.3 if released by vendor.

🔧 Temporary Workarounds

Access Control Restriction

all

Implement strict access controls on /admin/attachment/download endpoint

# Configure web server (Apache example)
<Location "/admin/attachment/download">
    Require valid-user
    Require ip 192.168.1.0/24
</Location>

Input Validation

all

Add server-side validation for ID parameter

# PHP example for input validation
if (!is_numeric($_GET['ID']) || $_GET['ID'] <= 0) {
    http_response_code(400);
    exit('Invalid ID parameter');
}

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block unauthorized access to /admin/attachment/download endpoint
  • Restrict network access to Dreamer CMS admin interface to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Test if unauthorized users can access /admin/attachment/download?ID=[valid_attachment_id]

Check Version:

Check Dreamer CMS version in admin panel or configuration files

Verify Fix Applied:

Verify that unauthorized requests to the vulnerable endpoint return proper access denied responses

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed access attempts to /admin/attachment/download
  • Unauthorized successful downloads from non-admin IPs

Network Indicators:

  • Unusual traffic patterns to /admin/attachment/download endpoint
  • Downloads from unexpected user agents or IP ranges

SIEM Query:

source="web_server" AND (url="/admin/attachment/download" AND response_code=200) AND NOT (user_role="admin")

📊 Metadata

CVE ID: CVE-2025-3977
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-266
EPSS Score: 0.05% exploit probability (14.9th percentile)
Published: April 27, 2025
Last Updated: May 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3977, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)