Home

Description

EN DE

A vulnerability was determined in lsfusion platform up to 6.1. Affected by this vulnerability is the function UploadFileRequestHandler of the file platform/web-client/src/main/java/lsfusion/http/controller/file/UploadFileRequestHandler.java. Executing manipulation of the argument sid can lead to path traversal. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.

Es wurde eine Schwachstelle in lsfusion platform up to 6.1 entdeckt. Es geht hierbei um die Funktion UploadFileRequestHandler der Datei platform/web-client/src/main/java/lsfusion/http/controller/file/UploadFileRequestHandler.java. Die Bearbeitung des Arguments sid verursacht path traversal. Der Angriff kann über das Netzwerk erfolgen. Die Schwachstelle wurde öffentlich offengelegt und könnte ausgenutzt werden.

PUBLISHED Reserved 2025-11-16 | Published 2025-11-17 | Updated 2025-11-17 | Assigner VulDB




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
HIGH: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
HIGH: 7.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
7.5AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

Problem types

Path Traversal

Product status

6.0
affected

6.1
affected

Timeline

2025-11-16:Advisory disclosed
2025-11-16:VulDB entry created
2025-11-16:VulDB entry last update

Credits

R1ckyZ (VulDB User) reporter

References

vuldb.com/?id.332597 (VDB-332597 | lsfusion platform UploadFileRequestHandler.java UploadFileRequestHandler path traversal) vdb-entry technical-description

vuldb.com/?ctiid.332597 (VDB-332597 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.689414 (Submit #689414 | lsFusion 6.1 Arbitrary File Upload) third-party-advisory

github.com/lsfusion/platform/issues/1544 issue-tracking

github.com/lsfusion/platform/issues/1544 exploit issue-tracking

cve.org (CVE-2025-13262)

nvd.nist.gov (CVE-2025-13262)

Download JSON