VDB
CVE-2025-3977
CVE-2025-3977
PUBLISHED
CVSS 5.300000190734863 MEDIUM
A vulnerability was found in iteachyou Dreamer CMS up to 4.1.3. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/attachment/download of the component Attachment Handler. The manipulation of the argument ID leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
EPSS 0.16% · 36.9th percentile
Risk Scores
CVSS 4.0
5.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.16%
36.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| iteachyou | Dreamer CMS | 4.1.0, 4.1.2, 4.1.3 |
| iteachyou | dreamer_cms | 0 |
Exploit Intelligence
- CIRCL seen: CVE-2025-3977 (circl-sighting)
- CIRCL seen: CVE-2025-3977 (circl-sighting)
- VDB-306313 | iteachyou Dreamer CMS Attachment download improper authorization (circl)
- VDB-306313 | CTI Indicators (IOB, IOC, TTP, IOA) (circl)
- Submit #557639 | iteachyou dreamer_cms 4.1.3 broken function level authorization (circl)
- https://gitee.com/iteachyou/dreamer_cms/issues/IC13O1 (cve.org)
Timeline
- Apr 27, 2025 CVE Published
- Apr 27, 2025 PoC Published
- Apr 27, 2025 PoC Published
- Apr 28, 2025 EPSS Score
- May 10, 2025 EPSS Score
- May 22, 2025 EPSS Score
- May 26, 2025 Coalition ESS Score
- Jun 3, 2025 EPSS Score
- Jun 15, 2025 EPSS Score
- Jun 27, 2025 EPSS Score
- Jul 9, 2025 EPSS Score
- Jul 21, 2025 EPSS Score
References
- VDB-306313 | iteachyou Dreamer CMS Attachment download improper authorization vdb
- VDB-306313 | CTI Indicators (IOB, IOC, TTP, IOA) url
- Submit #557639 | iteachyou dreamer_cms 4.1.3 broken function level authorization third-party-advisory
- https://gitee.com/iteachyou/dreamer_cms/issues/IC13O1 exploit
- https://nvd.nist.gov/vuln/detail/CVE-2025-3977 advisory