CVE-2025-3518

EPSS 0.03%
Veröffentlicht 22.04.2025 08:49:56
Zuletzt bearbeitet 23.06.2025 19:22:37
Quelle vulnerability@ncsc.ch
CVE-Watchlists
Login
Unerledigt
Login

It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled.

The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the system nevertheless allows files to be uploaded through direct API requests. During the upload file, interception and allowed file type rules are still applied correctly.

If file sharing is generally enabled, this issue is not of concern.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Unblu ≫ Spark Version >= 7.0.1 < 7.54.1

Unblu ≫ Spark Version >= 8.0.1 < 8.13.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.084

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vulnerability@ncsc.ch	5.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://www.unblu.com/en/docs/latest/security-bulletins/#UBL-2025-002

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-3518

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-3518

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-3518

EUVD