Home

Description

ITCube CRM in versions from 2023.2 through 2025.2 is vulnerable to path traversal. Unauthenticated remote attacker is able to exploit vulnerable parameter fileName and construct payloads that allow to download any file accessible by the the web server process.

PUBLISHED Reserved 2025-06-11 | Published 2025-09-08 | Updated 2025-09-08 | Assigner CERT-PL




CRITICAL: 9.2CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

2023.2 (custom)
affected

Credits

Andrey Moerov (Possehl Secure GmbH) finder

References

cert.pl/posts/2025/07/CVE-2025-5993 third-party-advisory

itcube.pl/modul-crm product

cve.org (CVE-2025-5993)

nvd.nist.gov (CVE-2025-5993)

Download JSON