Home

Description

EN DE

A vulnerability was found in lsfusion platform up to 6.1. Affected is the function DownloadFileRequestHandler of the file web-client/src/main/java/lsfusion/http/controller/file/DownloadFileRequestHandler.java. Performing manipulation of the argument Version results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used.

Eine Schwachstelle wurde in lsfusion platform up to 6.1 gefunden. Es geht um die Funktion DownloadFileRequestHandler der Datei web-client/src/main/java/lsfusion/http/controller/file/DownloadFileRequestHandler.java. Die Veränderung des Parameters Version resultiert in path traversal. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit wurde der Öffentlichkeit bekannt gemacht und könnte verwendet werden.

PUBLISHED Reserved 2025-11-16 | Published 2025-11-17 | Updated 2025-11-17 | Assigner VulDB




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
MEDIUM: 5.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
5.0AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR

Problem types

Path Traversal

Product status

6.0
affected

6.1
affected

Timeline

2025-11-16:Advisory disclosed
2025-11-16:VulDB entry created
2025-11-16:VulDB entry last update

Credits

R1ckyZ (VulDB User) reporter

References

vuldb.com/?id.332596 (VDB-332596 | lsfusion platform DownloadFileRequestHandler.java DownloadFileRequestHandler path traversal) vdb-entry technical-description

vuldb.com/?ctiid.332596 (VDB-332596 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.689412 (Submit #689412 | lsFusion 6.1 Unauthorized Arbitrary File Read) third-party-advisory

github.com/lsfusion/platform/issues/1543 issue-tracking

github.com/lsfusion/platform/issues/1543 exploit issue-tracking

cve.org (CVE-2025-13261)

nvd.nist.gov (CVE-2025-13261)

Download JSON