CVE-2025-2305 HIGH

CVE-2025-2305: Local file inclusion vulnerability in LIVE CONTRACT

Vendor Syncpilot
Product LIVE CONTRACT
Weakness CWE-20 · Input validation
Published May 16, 2025
Last update May 16, 2025
View on NVD All CVEs

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

A Path traversal vulnerability in the file download functionality was identified. This vulnerability allows unauthenticated users to download arbitrary files, in the context of the application server, from the Linux server.

Key dates

02Disclosure timeline

May 16, 2025 CVE published
May 16, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2019-1740 Cisco IOS and IOS XE Software Network-Based Application Recognition Denial of Service Vulnerabilities CVE-2024-9507 Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder <= 2.15.2 - Authenticated (Administrator+) Improper Input Validation via iconUpload Function to Arbitrary File Read CVE-2022-30756 CVE-2023-38654 CVE-2021-31373 Junos OS: SRX Series: Persistent XSS vulnerability in J-Web