Plattform
java
Komponente
lsfusion.platform:web-client
Behoben in
6.0.1
6.1.1
6.1.1
CVE-2025-13262 describes a Path Traversal vulnerability discovered in lsfusion platform versions up to 6.1. This flaw allows attackers to potentially access sensitive files and directories on the server by manipulating the 'sid' parameter. The vulnerability affects the UploadFileRequestHandler function and can be exploited remotely. A fix is available in version 6.1.1.
Successful exploitation of CVE-2025-13262 allows an attacker to bypass access controls and read arbitrary files on the server hosting the lsfusion platform web client. This could include configuration files, source code, or other sensitive data. Depending on the files accessed, an attacker could gain a deeper understanding of the system's architecture, potentially leading to further exploitation. The ability to read arbitrary files represents a significant security risk, particularly if the server stores credentials or other confidential information. The publicly disclosed nature of this vulnerability increases the likelihood of exploitation.
CVE-2025-13262 has been publicly disclosed, increasing the risk of exploitation. While no active campaigns have been definitively linked to this specific CVE at the time of writing, the availability of a public exploit significantly lowers the barrier to entry for attackers. The vulnerability is not currently listed on the CISA KEV catalog. The NVD publication date is 2025-11-17.
Organizations deploying lsfusion platform in environments with limited access controls or those running older, unpatched versions (≤6.1) are at significant risk. Shared hosting environments utilizing lsfusion platform are particularly vulnerable due to the potential for cross-tenant exploitation.
• java / server:
find /path/to/lsfusion/platform/web-client/src/main/java/lsfusion/http/controller/file/ -name "UploadFileRequestHandler.java"• generic web:
curl -I 'http://your-lsfusion-server/path/to/file?sid=../../../../etc/passwd' # Check for 200 OK or other unexpected responsesdisclosure
Exploit-Status
EPSS
0.40% (60% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-13262 is to upgrade to lsfusion platform version 6.1.1 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing input validation on the 'sid' parameter to prevent malicious path manipulation. Web Application Firewalls (WAFs) configured to detect and block path traversal attempts can also provide a temporary layer of protection. Review and restrict file upload permissions to minimize the potential impact of a successful attack. After upgrading, confirm the vulnerability is resolved by attempting a file upload with a manipulated 'sid' parameter and verifying that access is denied.
Actualizar la plataforma lsfusion a una versión posterior a la 6.1 que corrija la vulnerabilidad de path traversal en el componente UploadFileRequestHandler. Consultar el sitio web del proveedor para obtener la última versión y las instrucciones de actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13262 is a Path Traversal vulnerability affecting lsfusion platform versions up to 6.1, allowing attackers to potentially access sensitive files by manipulating the 'sid' parameter.
You are affected if you are running lsfusion platform version 6.1 or earlier. Upgrade to 6.1.1 or later to mitigate the risk.
Upgrade to lsfusion platform version 6.1.1 or later. As a temporary measure, implement input validation on the 'sid' parameter and consider using a WAF.
While no confirmed active campaigns are publicly known, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the official lsfusion platform security advisories on their website or relevant security mailing lists for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.