Home

Description

Newforma Info Exchange (NIX) '/UserWeb/Common/MarkupServices.ashx' 'StreamStampImage' accepts an encrypted file path and returns an image of the specified file. An authenticated attacker can read arbitrary files subject to the privileges of NIX, typically 'NT AUTHORITY\NetworkService', and the ability of StreamStampImage to process the file. The encrypted file path can be generated using the shared, hard-coded secret key described in CVE-2025-35052. This vulnerability cannot be exploited as an 'anonymous' user as described in CVE-2025-35062.

PUBLISHED Reserved 2025-04-15 | Published 2025-10-09 | Updated 2025-10-09 | Assigner cisa-cg




MEDIUM: 5.0CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unknown

Any version before 2024.1
affected

2024.1
unaffected

Credits

Shadron Gudmunson,Luke Rindels,Robert McCain,Asjha Stus,Adam Merrill,Ryan Kao,Brian Healy, Sandia National Laboratories Adversarial Modeling and Penetration Testing (AMPT)

References

www.cve.org/CVERecord?id=CVE-2025-35062 (url)

www.cve.org/CVERecord?id=CVE-2025-35056 (url)

raw.githubusercontent.com/...IT/white/2025/va-25-282-01.json (url)

cve.org (CVE-2025-35056)

nvd.nist.gov (CVE-2025-35056)

Download JSON