CVE-2025-58986 in Jock On Air Now JOAN Plugin
Summary
by MITRE • 11/06/2025
Missing Authorization vulnerability in ganddser Jock On Air Now (JOAN) joan allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Jock On Air Now (JOAN): from n/a through <= 6.0.4.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/08/2025
The vulnerability identified as CVE-2025-58986 represents a critical missing authorization flaw within the ganddser Jock On Air Now (JOAN) application, specifically affecting versions ranging from the initial release through version 6.0.4. This security weakness stems from incorrectly configured access control security levels that permit unauthorized entities to exploit the system's protective mechanisms. The vulnerability manifests as a failure in the application's authorization framework, where proper access controls are either absent or improperly implemented, allowing attackers to bypass intended security restrictions.
The technical nature of this vulnerability aligns with CWE-285, which describes improper authorization conditions within software systems. In the context of JOAN, this manifests as insufficient validation of user permissions and roles, creating pathways for unauthorized access to protected resources or functionalities. The flaw operates at the application layer where access control decisions should be made, but instead relies on inadequate or missing authorization checks that fail to properly authenticate and authorize user requests before granting access to restricted components.
From an operational impact perspective, this vulnerability compromises the integrity and confidentiality of the JOAN application's protected data and services. Attackers could potentially access sensitive information, modify system configurations, or perform administrative actions that should be restricted to authorized personnel only. The vulnerability's scope extends beyond simple data access, as it may enable attackers to manipulate the application's core functionalities, potentially disrupting broadcasting operations or gaining control over critical system components that manage audio streaming and scheduling services.
The exploitation of this vulnerability demonstrates characteristics consistent with ATT&CK technique T1078 which involves valid accounts and legitimate credentials being used to bypass security controls. However, in this case the issue is not about credential theft but rather about the system's failure to enforce proper authorization checks even when valid credentials are presented. This creates a scenario where any authenticated user can potentially access restricted features, effectively undermining the application's security model and potentially exposing the entire broadcasting infrastructure to unauthorized manipulation.
Organizations utilizing JOAN versions 6.0.4 and earlier should implement immediate mitigations including thorough access control reviews, implementation of proper authorization checks, and deployment of additional security layers such as network segmentation and monitoring controls. The recommended approach involves updating to patched versions of the application, conducting comprehensive security assessments, and implementing principle of least privilege access controls. Additionally, organizations should consider deploying intrusion detection systems to monitor for suspicious access patterns that may indicate exploitation attempts and establish regular security audits to identify and remediate similar authorization flaws in other applications within their infrastructure.