Catalis CM360 allows authentication bypass
Description
Catalis (previously Icon Software) CMS360 allows a remote, unauthenticated attacker to view sensitive court documents by modifying document and other identifiers in URLs. The impact varies based on the intention and configuration of a specific CMS360 installation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-6341 is an authentication bypass in Catalis CMS360, allowing unauthenticated remote attackers to view sealed court documents via URL ID manipulation.
Vulnerability
CVE-2023-6341 is an insufficient permission check vulnerability in Catalis CMS360, a court case and document management system previously known as Icon Software CMS360. The vulnerability resides in the document viewing functionality, where numeric document and case IDs are used in URLs. An unauthenticated, remote attacker can bypass access controls by simply modifying or incrementing these identifiers in the URL. Affected systems are used in Georgia, Mississippi, Ohio, and Tennessee, per reference [2]. The impact varies depending on whether a court configured CMS360 to disallow document viewing or require login, but many installations allowed direct access via URL manipulation. [1][2][3]
Exploitation
An attacker needs only a browser and network access to the CMS360 web interface; no authentication is required. The exploitation steps are trivial: the attacker navigates to a document URL containing a numeric ID (e.g., /document/12345) and increments or guesses other IDs to access sealed or confidential documents. This can be performed using browser developer tools or a simple script. The discoverability of document IDs varies by court configuration, but in some cases IDs were predictable or easily enumerable. [1][2]
Impact
Successful exploitation allows an unauthenticated attacker to view sealed, confidential, unredacted, and otherwise restricted court documents. Exposed records have included witness lists, testimony, mental health evaluations, child custody agreements, detailed allegations of abuse, corporate trade secrets, jury forms, and other sensitive legal filings. The attacker gains the ability to read sensitive information that would normally be restricted, without any privilege escalation or write access. [1][2][3]
Mitigation
CISA has assisted in disclosure and encourages users and administrators to apply security updates as they become available [3]. As of the publication date (2023-11-30), Catalis has not publicly released a patch or specific workaround; the vendor's support page [4] does not mention this vulnerability. In the absence of a fix, affected courts should review their CMS360 configuration to restrict document access by requiring authentication and disabling direct document ID enumeration where possible. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. [1][2][3]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Catalis/CMS360v5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- www.cisa.gov/news-events/alerts/2023/11/30/multiple-vulnerabilities-affecting-web-based-court-case-and-document-management-systemsmitrethird-party-advisorygovernment-resource
- catalisgov.com/courts-land-records-support/mitreproduct
- techcrunch.com/2023/11/30/us-court-records-systems-vulnerabilities-exposed-sealed-documents/mitremedia-coverage
- github.com/qwell/disorder-in-the-court/blob/main/README-Catalis.mdmitre
News mentions
0No linked articles in our index yet.