CVE-2025-0422 HIGH

CVE-2025-0422: Authenticated Remote Code Execution via ScriptVar

Vendor Cordaware

Product bestinformed Web

Weakness CWE-20 · Input validation

Published February 18, 2025

Last update February 18, 2025

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

What the vulnerability does

01Description

An authenticated user in the "bestinformed Web" application can execute commands on the underlying server running the application. (Remote Code Execution) For this, the user must be able to create "ScriptVars" with the type „script" and preview them by, for example, creating a new "Info". By default, admin users have those permissions, but with the granular permission system, those permissions may be assigned to other users. An attacker is able to execute commands on the server running the "bestinformed Web" application if an account with the correct permissions was compromised before.

Key dates

02Disclosure timeline

February 18, 2025 CVE published

February 18, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-0422

Related vulnerabilities

CVE-2025-0422: Authenticated Remote Code Execution via ScriptVar

01Description

02Disclosure timeline

03References

04Related CVE