CVE-2025-3115

Injection Vulnerabilities: Attackers can inject malicious code, potentially gaining control over the system executing these functions. Additionally, insufficient validation of filenames during file uploads can enable attackers to upload and execute malicious files, leading to arbitrary code execution

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-april-08-2025-spotfire-cve-2025-3115-r3485/

Configurations

Configuration 1 (hide)

cpe:2.3:a:tibco:spotfire_enterprise_runtime_for_r:*:*:*:*:-:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:tibco:spotfire_statistics_services::::::::
	cpe:2.3:a:tibco:spotfire_statistics_services:14.1.0:::::::*
	cpe:2.3:a:tibco:spotfire_statistics_services:14.2.0:::::::*
	cpe:2.3:a:tibco:spotfire_statistics_services:14.3.0:::::::*
	cpe:2.3:a:tibco:spotfire_statistics_services:14.4.0:::::::*
	cpe:2.3:a:tibco:spotfire_statistics_services:14.4.1:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:tibco:spotfire_enterprise_runtime_for_r:::::server:::*
	cpe:2.3:a:tibco:spotfire_enterprise_runtime_for_r:1.18.0::::server:::
	cpe:2.3:a:tibco:spotfire_enterprise_runtime_for_r:1.19.0::::server:::
	cpe:2.3:a:tibco:spotfire_enterprise_runtime_for_r:1.20.0::::server:::
	cpe:2.3:a:tibco:spotfire_enterprise_runtime_for_r:1.21.0::::server:::
	cpe:2.3:a:tibco:spotfire_enterprise_runtime_for_r:1.21.1::::server:::

Configuration 4 (hide)

OR	cpe:2.3:a:tibco:spotfire_analyst::::::::
	cpe:2.3:a:tibco:spotfire_analyst:14.1.0:::::::*
	cpe:2.3:a:tibco:spotfire_analyst:14.2.0:::::::*
	cpe:2.3:a:tibco:spotfire_analyst:14.3.0:::::::*
	cpe:2.3:a:tibco:spotfire_analyst:14.4.0:::::::*
	cpe:2.3:a:tibco:spotfire_analyst:14.4.1:::::::*

Configuration 5 (hide)

OR	cpe:2.3:a:tibco:spotfire_deployment_kit::::::::
	cpe:2.3:a:tibco:spotfire_deployment_kit:14.1.0:::::::*
	cpe:2.3:a:tibco:spotfire_deployment_kit:14.2.0:::::::*
	cpe:2.3:a:tibco:spotfire_deployment_kit:14.3.0:::::::*
	cpe:2.3:a:tibco:spotfire_deployment_kit:14.4.0:::::::*
	cpe:2.3:a:tibco:spotfire_deployment_kit:14.4.1:::::::*

Configuration 6 (hide)

cpe:2.3:a:tibco:spotfire_desktop:*:*:*:*:*:*:*:*

Configuration 7 (hide)

cpe:2.3:a:tibco:spotfire_analytics_platform:*:*:*:*:*:aws_marketplace:*:*

History

11 Nov 2025, 12:15

Type	Values Removed	Values Added
References	~~{'url': 'https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-april-08-2025-spotfire-cve-2025-3114-r3484/', 'tags': ['Vendor Advisory'], 'source': 'security@tibco.com'}~~	() https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-april-08-2025-spotfire-cve-2025-3115-r3485/ -

22 Apr 2025, 16:46

Type	Values Removed	Values Added
References	~~() https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-april-08-2025-spotfire-cve-2025-3114-r3484/ -~~	() https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-april-08-2025-spotfire-cve-2025-3114-r3484/ - Vendor Advisory
First Time		Tibco spotfire Statistics Services Tibco spotfire Analytics Platform Tibco spotfire Deployment Kit Tibco spotfire Desktop Tibco spotfire Enterprise Runtime For R Tibco spotfire Analyst Tibco
Summary		(es) Vulnerabilidades de inyección: Los atacantes pueden inyectar código malicioso, lo que podría permitirle controlar el sistema que ejecuta estas funciones. Además, una validación insuficiente de los nombres de archivo durante la carga puede permitir que los atacantes carguen y ejecuten archivos maliciosos, lo que provoca la ejecución de código arbitrario.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:tibco:spotfire_analyst:14.4.0:::::::* cpe:2.3:a:tibco:spotfire_analyst:::::::: cpe:2.3:a:tibco:spotfire_enterprise_runtime_for_r:1.18.0::::server::: cpe:2.3:a:tibco:spotfire_statistics_services:14.1.0:::::::* cpe:2.3:a:tibco:spotfire_statistics_services:14.2.0:::::::* cpe:2.3:a:tibco:spotfire_desktop:::::::: cpe:2.3:a:tibco:spotfire_deployment_kit:14.3.0:::::::* cpe:2.3:a:tibco:spotfire_analytics_platform::::::aws_marketplace::* cpe:2.3:a:tibco:spotfire_enterprise_runtime_for_r:1.21.0::::server::: cpe:2.3:a:tibco:spotfire_deployment_kit:::::::: cpe:2.3:a:tibco:spotfire_analyst:14.3.0:::::::* cpe:2.3:a:tibco:spotfire_deployment_kit:14.1.0:::::::* cpe:2.3:a:tibco:spotfire_enterprise_runtime_for_r:::::-:::* cpe:2.3:a:tibco:spotfire_enterprise_runtime_for_r:1.19.0::::server::: cpe:2.3:a:tibco:spotfire_enterprise_runtime_for_r:::::server:::* cpe:2.3:a:tibco:spotfire_statistics_services:::::::: cpe:2.3:a:tibco:spotfire_enterprise_runtime_for_r:1.21.1::::server::: cpe:2.3:a:tibco:spotfire_analyst:14.1.0:::::::* cpe:2.3:a:tibco:spotfire_statistics_services:14.3.0:::::::* cpe:2.3:a:tibco:spotfire_deployment_kit:14.4.1:::::::* cpe:2.3:a:tibco:spotfire_enterprise_runtime_for_r:1.20.0::::server::: cpe:2.3:a:tibco:spotfire_analyst:14.4.1:::::::* cpe:2.3:a:tibco:spotfire_statistics_services:14.4.1:::::::* cpe:2.3:a:tibco:spotfire_deployment_kit:14.4.0:::::::* cpe:2.3:a:tibco:spotfire_deployment_kit:14.2.0:::::::* cpe:2.3:a:tibco:spotfire_statistics_services:14.4.0:::::::* cpe:2.3:a:tibco:spotfire_analyst:14.2.0:::::::*

09 Apr 2025, 19:15

Type	Values Removed	Values Added
CWE		CWE-94

09 Apr 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-09 18:15

Updated : 2025-11-11 12:15

NVD link : CVE-2025-3115

Mitre link : CVE-2025-3115

CVE.ORG link : CVE-2025-3115

JSON object : View

Products Affected

tibco

spotfire_statistics_services
spotfire_analyst
spotfire_analytics_platform
spotfire_deployment_kit
spotfire_desktop
spotfire_enterprise_runtime_for_r

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

9.8 /10