CVE-2025-65900
📋 TL;DR
CVE-2025-65900 is an incorrect access control vulnerability in Kalmia CMS that allows authenticated users with basic read permissions to retrieve sensitive information for all platform users. This affects all deployments running Kalmia CMS version 0.2.0. The vulnerability stems from insufficient permission validation and excessive data exposure in the backend API.
💻 Affected Systems
- Kalmia CMS
📦 What is this software?
Kalmia by Difuse
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of all user data including potentially sensitive personal information, credentials, or other confidential data stored in user profiles, leading to data breach and regulatory violations.
Likely Case
Unauthorized access to user information including names, email addresses, roles, and other profile data, enabling reconnaissance for further attacks or data harvesting.
If Mitigated
Limited exposure of non-sensitive user metadata if proper data classification and minimal data exposure principles are implemented.
🎯 Exploit Status
Exploitation requires authenticated access but with only basic read permissions. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Monitor the Kalmia CMS repository for updates and apply when available.
🔧 Temporary Workarounds
API Endpoint Restriction
allRestrict access to the vulnerable /kal-api/auth/users endpoint using web server configuration or application firewall rules.
# For nginx: location /kal-api/auth/users { deny all; }
# For Apache: <Location /kal-api/auth/users> Require all denied </Location>
Authentication Enhancement
allImplement additional permission checks in the application layer to validate user authorization before returning sensitive data.
# Modify the API endpoint to include proper permission validation
🧯 If You Can't Patch
- Implement network segmentation to isolate the Kalmia CMS instance and restrict access to trusted users only.
- Enable detailed logging and monitoring for access to the /kal-api/auth/users endpoint to detect exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Authenticate to the Kalmia CMS with a basic user account and attempt to access /kal-api/auth/users endpoint. If it returns data for all users without proper authorization, the system is vulnerable.Check Version:
Check the CMS version in the admin panel or configuration files. For Kalmia CMS 0.2.0, the vulnerability exists.Verify Fix Applied:
After applying workarounds, attempt the same access with a basic user account. The endpoint should return an authorization error or no data.📡 Detection & Monitoring
Log Indicators:
- Multiple GET requests to /kal-api/auth/users from single user accounts
- Unusual data retrieval patterns from the users API endpoint
Network Indicators:
- HTTP requests to /kal-api/auth/users from non-admin users
- Large data transfers from the users endpoint
SIEM Query:
source="web_server" AND uri="/kal-api/auth/users" AND user_role!="admin" AND response_size>1000