Home

Description

Agiloft Release 28 contains an XML External Entities vulnerability in any table that allows 'import/export', allowing an authenticated attacker to import the template file and perform path traversal on the local system files. Users should upgrade to Agiloft Release 31.

PUBLISHED Reserved 2025-04-15 | Published 2025-08-26 | Updated 2025-08-29 | Assigner cisa-cg




MEDIUM: 4.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Problem types

CWE-611 Improper Restriction of XML External Entity Reference

Product status

Default status
unknown

Any version before Release 31
affected

Release 31
unaffected

Credits

Matthew Galligan, CISA Rapid Action Force (RAF)

References

wiki.agiloft.com/display/HELP/What's+New:+CVE+Resolution (url)

raw.githubusercontent.com/...IT/white/2025/va-25-239-01.json (url)

www.cve.org/CVERecord?id=CVE-2025-35112 (url)

cve.org (CVE-2025-35112)

nvd.nist.gov (CVE-2025-35112)

Download JSON