CVE-2025-1782 PUBLISHED

Unsanitized input in language form field

Assigner: redhat
Reserved: 28.02.2025 Published: 14.04.2025 Updated: 14.04.2025

In HylaFAX Enterprise Web Interface and AvantFAX, the language form element is not properly sanitized before being used and can be misused to include an arbitrary file in the PHP code allowing an attacker to do anything as the web server user. This flaw requires the attacker to be authenticated with a valid user account.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Package Collection	https://www.ifax.com/
Package Name	HylaFAX Enterprise Web Interface
Versions	Default: unaffected affected from 0 to 1.1.* (excl.) affected from 1.2.0 to 1.2.1 (excl.) affected from 1.3.0 to 1.3.2 (excl.)

Package Collection	https://sourceforge.net/projects/avantfax/
Package Name	AvantFAX
Versions	Default: unaffected affected from 0 to 3.3.* (excl.) affected from 3.4.0 to 3.4.1 (excl.)

References

https://www.ifax.com/security/CVE-2025-1782.html

Problem Types

CWE-94 Improper Control of Generation of Code ('Code Injection') CWE