Home

Description

WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete any file on the server using path traversal in the ilog script. This script is being run with root privileges. This issue was fixed in version 6.44.44

PUBLISHED Reserved 2025-11-17 | Published 2025-12-16 | Updated 2025-12-16 | Assigner CERT-PL




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version before 6.44.44
affected

Credits

Julia Zduńczyk finder

References

cert.pl/en/posts/2025/12/CVE-2025-65074 third-party-advisory

www.wavestore.com/products/video-management-software product

cve.org (CVE-2025-65076)

nvd.nist.gov (CVE-2025-65076)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.