CVE-2025-14660

Summary

A flaw has been found in DecoCMS Mesh up to 1.0.0-alpha.31. Affected by this vulnerability is the function createTool of the file packages/sdk/src/mcp/teams/api.ts of the component Workspace Domain Handler. This manipulation of the argument domain causes improper access controls. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been published and may be used. Upgrading to version 1.0.0-alpha.32 addresses this issue. Patch name: 5f7315e05852faf3a9c177c0a34f9ea9b0371d3d. It is recommended to upgrade the affected component.

Affected Software

VendorProductVersion RangeStatus
DecoCMSMesh1.0.0-alpha.0affected
DecoCMSMesh1.0.0-alpha.1affected
DecoCMSMesh1.0.0-alpha.2affected
DecoCMSMesh1.0.0-alpha.3affected
DecoCMSMesh1.0.0-alpha.4affected
DecoCMSMesh1.0.0-alpha.5affected
DecoCMSMesh1.0.0-alpha.6affected
DecoCMSMesh1.0.0-alpha.7affected
DecoCMSMesh1.0.0-alpha.8affected
DecoCMSMesh1.0.0-alpha.9affected
DecoCMSMesh1.0.0-alpha.10affected
DecoCMSMesh1.0.0-alpha.11affected
DecoCMSMesh1.0.0-alpha.12affected
DecoCMSMesh1.0.0-alpha.13affected
DecoCMSMesh1.0.0-alpha.14affected
DecoCMSMesh1.0.0-alpha.15affected
DecoCMSMesh1.0.0-alpha.16affected
DecoCMSMesh1.0.0-alpha.17affected
DecoCMSMesh1.0.0-alpha.18affected
DecoCMSMesh1.0.0-alpha.19affected
DecoCMSMesh1.0.0-alpha.20affected
DecoCMSMesh1.0.0-alpha.21affected
DecoCMSMesh1.0.0-alpha.22affected
DecoCMSMesh1.0.0-alpha.23affected
DecoCMSMesh1.0.0-alpha.24affected
DecoCMSMesh1.0.0-alpha.25affected
DecoCMSMesh1.0.0-alpha.26affected
DecoCMSMesh1.0.0-alpha.27affected
DecoCMSMesh1.0.0-alpha.28affected
DecoCMSMesh1.0.0-alpha.29affected
DecoCMSMesh1.0.0-alpha.30affected
DecoCMSMesh1.0.0-alpha.31affected
DecoCMSMesh1.0.0-alpha.32unaffected

Weaknesses

  • CWE-284: Improper Access Controls
  • CWE-266: Incorrect Privilege Assignment

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References