CVE-2025-48783

An external control of file name or path vulnerability in the delete file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to delete partial files by specifying arbitrary file paths.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://zuso.ai/advisory/za-2025-08	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:scshr:hr_portal:*:*:*:*:*:*:*:*

History

04 Feb 2026, 14:36

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de control externo de nombre o ruta de archivo en la función de eliminación de archivos de Soar Cloud HRD Human Resource Management System hasta la versión 7.3.2025.0408 permite a atacantes remotos eliminar archivos parciales al especificar rutas de archivo arbitrarias.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
First Time		Scshr hr Portal Scshr
References	~~() https://zuso.ai/advisory/za-2025-08 -~~	() https://zuso.ai/advisory/za-2025-08 - Third Party Advisory
CPE		cpe:2.3:a:scshr:hr_portal::::::::

06 Jun 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-06 10:15

Updated : 2026-02-04 14:36

NVD link : CVE-2025-48783

Mitre link : CVE-2025-48783

CVE.ORG link : CVE-2025-48783

JSON object : View

Products Affected

scshr

hr_portal

CWE

CWE-73

External Control of File Name or Path

{"id": "CVE-2025-48783", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ART@zuso.ai", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-06T10:15:24.320", "references": [{"url": "https://zuso.ai/advisory/za-2025-08", "tags": ["Third Party Advisory"], "source": "ART@zuso.ai"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ART@zuso.ai", "description": [{"lang": "en", "value": "CWE-73"}]}], "descriptions": [{"lang": "en", "value": "An external control of file name or path vulnerability in the delete file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to delete partial files by specifying arbitrary file paths."}, {"lang": "es", "value": "Una vulnerabilidad de control externo de nombre o ruta de archivo en la funci\u00f3n de eliminaci\u00f3n de archivos de Soar Cloud HRD Human Resource Management System hasta la versi\u00f3n 7.3.2025.0408 permite a atacantes remotos eliminar archivos parciales al especificar rutas de archivo arbitrarias."}], "lastModified": "2026-02-04T14:36:46.657", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:scshr:hr_portal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "507BD788-06E1-4367-A35F-9B6C27D9008D", "versionEndIncluding": "7.3.2025.0408"}], "operator": "OR"}]}], "sourceIdentifier": "ART@zuso.ai"}