CVE-2025-25478

The account file upload functionality in Syspass 3.2.x fails to properly handle special characters in filenames. This mismanagement leads to the disclosure of the web application s source code, exposing sensitive information such as the database password.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/sysentr0py/CVEs/tree/main/CVE-2025-25478
https://github.com/sysentr0py/CVEs/tree/main/CVE-2025-25478

Configurations

No configuration.

History

05 Mar 2025, 16:15

Type	Values Removed	Values Added
CWE		CWE-73
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
Summary		(es) La función de carga de archivos de cuenta en Syspass 3.2.x no gestiona correctamente los caracteres especiales en los nombres de archivo. Esta mala gestión provoca la divulgación del código fuente de la aplicación web, lo que deja expuesta información confidencial, como la contraseña de la base de datos.
References	~~() https://github.com/sysentr0py/CVEs/tree/main/CVE-2025-25478 -~~	() https://github.com/sysentr0py/CVEs/tree/main/CVE-2025-25478 -

28 Feb 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-28 23:15

Updated : 2025-03-05 16:15

NVD link : CVE-2025-25478

Mitre link : CVE-2025-25478

CVE.ORG link : CVE-2025-25478

JSON object : View

Products Affected

No product.

CWE

CWE-73

External Control of File Name or Path

6.5 /10