Skip to main content

CVE-2025-47457: CWE-862 Missing Authorization in dgamoni LocateAndFilter

Medium
VulnerabilityCVE-2025-47457cvecve-2025-47457cwe-862
Published: Wed May 07 2025 (05/07/2025, 14:19:38 UTC)
Source: CVE
Vendor/Project: dgamoni
Product: LocateAndFilter

Description

Missing Authorization vulnerability in dgamoni LocateAndFilter allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects LocateAndFilter: from n/a through 1.6.16.

AI-Powered Analysis

AILast updated: 07/05/2025, 13:41:07 UTC

Technical Analysis

CVE-2025-47457 is a security vulnerability classified under CWE-862, indicating a Missing Authorization issue in the dgamoni product LocateAndFilter. This vulnerability allows unauthorized users to access functionality that is not properly constrained by Access Control Lists (ACLs). Specifically, the affected function is LocateAndFilter, with versions up to 1.6.16 impacted. The vulnerability permits remote attackers to invoke certain functions without proper authorization checks, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N, meaning the attack can be performed over the network without any privileges or user interaction. The impact on confidentiality is limited (C:L), with no impact on integrity or availability. This suggests that unauthorized access could lead to information disclosure but not modification or denial of service. The lack of authentication and user interaction requirements makes exploitation easier, but the scope is limited to information leakage rather than full system compromise. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published recently in May 2025, and the vendor project is dgamoni, which may be a specialized software provider. The absence of affected version details beyond "n/a through 1.6.16" suggests that the issue is present in all versions up to 1.6.16, with no indication of later fixed versions. Overall, this vulnerability represents a moderate risk due to unauthorized information access via missing authorization controls in a network-exposed function.

Potential Impact

For European organizations using dgamoni's LocateAndFilter product, this vulnerability could lead to unauthorized disclosure of sensitive information accessible through the LocateAndFilter functionality. Although the impact is limited to confidentiality and does not affect integrity or availability, the exposure of sensitive data could have regulatory and reputational consequences, especially under GDPR requirements. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on this software may face increased risk of data leakage. The ease of exploitation without authentication or user interaction increases the threat level, as attackers can remotely probe and extract information without needing credentials. However, since no known exploits are currently reported, the immediate risk may be moderate but could escalate if exploit code becomes available. The lack of patches means organizations must rely on compensating controls until updates are released. Overall, the vulnerability poses a moderate confidentiality risk that could facilitate further attacks or data breaches if leveraged in a targeted campaign against European entities.

Mitigation Recommendations

1. Implement strict network-level access controls to limit exposure of the LocateAndFilter service to trusted internal networks or VPNs, reducing the attack surface. 2. Employ Web Application Firewalls (WAFs) or Intrusion Detection/Prevention Systems (IDS/IPS) with custom rules to detect and block unauthorized attempts to access LocateAndFilter functionality. 3. Conduct thorough access reviews and ensure that any custom ACLs or authorization mechanisms supplement the default controls, compensating for the missing authorization in the vulnerable function. 4. Monitor logs for unusual or unauthorized access patterns related to LocateAndFilter and establish alerting for suspicious activities. 5. Engage with the vendor (dgamoni) for timely updates and patches; prioritize patching once available. 6. If possible, disable or restrict the LocateAndFilter feature temporarily until a fix is applied, especially in high-risk environments. 7. Educate security teams about this vulnerability to enhance detection and response capabilities. 8. Perform penetration testing focused on authorization controls to identify any other potential gaps in the environment.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-05-07T09:38:48.851Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d981bc4522896dcbd9855

Added to database: 5/21/2025, 9:08:43 AM

Last enriched: 7/5/2025, 1:41:07 PM

Last updated: 7/25/2025, 10:10:25 PM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats