Home

Description

UnForm Server versions < 10.1.15 contain an unauthenticated arbitrary file read and SMB coercion vulnerability in the Doc Flow feature’s 'arc' endpoint. The Doc Flow module uses the 'arc' handler to retrieve and render pages or resources specified by the user-supplied 'pp' parameter, but it does so without enforcing authentication or restricting path inputs. As a result, an unauthenticated remote attacker can supply local filesystem paths to read arbitrary files accessible to the service account. On Windows deployments, providing a UNC path can also coerce the server into initiating outbound SMB authentication, potentially exposing NTLM credentials for offline cracking or relay. This issue may lead to sensitive information disclosure and, in some environments, enable further lateral movement.

PUBLISHED Reserved 2025-04-15 | Published 2025-11-25 | Updated 2025-11-25 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Default status
unaffected

Any version before 10.1.15
affected

Timeline

2025-11-24:Vulnerability was patched and publicly-disclosed by vendor

Credits

Victor Morales of GM Sectec, Corp. finder

Jan Rodriguez of GM Sectec, Corp. finder

References

unform.com/download/uf101_readme.txt release-notes patch

www.vulncheck.com/...rver-doc-flow-unauthenticated-file-read third-party-advisory

cve.org (CVE-2025-34350)

nvd.nist.gov (CVE-2025-34350)

Download JSON