| ZUSOART ID |
ZA-2026-01 |
| CVE ID |
CVE-2026-24728 |
| Vulnerability Type |
CWE-306: Missing Authentication for Critical Function |
| CVSS 4.0 Base |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N(9.3) |
| Description |
A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authentication. |
| Vendor |
Internet Information Co., Ltd |
| Product |
| Category |
Version affected |
| DreamMaker |
Before 2025/10/22 |
|
| Mitigations |
設定網路防火牆、負載平衡器或存取控制清單 (ACL),限制對受影響端點 /servlet/baServer3 的存取。應完全阻擋來自外部網路的連線,並僅允許受信任的內部管理 IP 位址進行存取。
(Configure network firewalls, load balancers, or Access Control Lists (ACLs) to restrict access to the affected endpoint /servlet/baServer3. |
| Release date |
2026/01/30 |
| Credit |
Kuang Ming Chang of ZUSO ART |
