Platform
java
Component
lsfusion.platform:web-client
Fixed in
6.0.1
6.1.1
6.1.1
CVE-2025-13262 describes a Path Traversal vulnerability discovered in lsfusion platform versions up to 6.1. This flaw allows attackers to potentially access sensitive files and directories on the server by manipulating the 'sid' parameter. The vulnerability affects the UploadFileRequestHandler function and can be exploited remotely. A fix is available in version 6.1.1.
Successful exploitation of CVE-2025-13262 allows an attacker to bypass access controls and read arbitrary files on the server hosting the lsfusion platform web client. This could include configuration files, source code, or other sensitive data. Depending on the files accessible, an attacker could gain further insights into the system's architecture, potentially leading to privilege escalation or other malicious activities. The remote nature of the vulnerability means it can be exploited from anywhere with network access to the affected platform.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While no active campaigns have been definitively linked to CVE-2025-13262, the availability of a public exploit significantly lowers the barrier to entry for attackers. The vulnerability is not currently listed on CISA KEV, but its HIGH severity and public disclosure warrant close monitoring.
Exploit Status
EPSS
0.40% (60% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13262 is to upgrade to lsfusion platform version 6.1.1 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing input validation on the 'sid' parameter to prevent path traversal attempts. Web application firewalls (WAFs) configured to detect and block path traversal attempts can also provide a temporary layer of protection. Review and restrict file upload permissions to minimize the potential impact of a successful exploit. After upgrading, confirm the vulnerability is resolved by attempting a path traversal attack with a known malicious payload and verifying that access is denied.
Actualizar la plataforma lsfusion a una versión posterior a la 6.1 que corrija la vulnerabilidad de path traversal en el componente UploadFileRequestHandler. Consultar el sitio web del proveedor para obtener la última versión y las instrucciones de actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13262 is a Path Traversal vulnerability affecting lsfusion platform versions up to 6.1, allowing attackers to potentially access sensitive files by manipulating the 'sid' parameter.
You are affected if you are running lsfusion platform version 6.1 or earlier. Upgrade to 6.1.1 or later to mitigate the risk.
Upgrade to lsfusion platform version 6.1.1 or later. As a temporary measure, implement input validation on the 'sid' parameter and consider using a WAF.
While no confirmed active campaigns are publicly known, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the official lsfusion platform security advisories on their website or relevant security mailing lists for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.