CVE-2025-54790

Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, Files does not have logic to prevent the exploitation of backend SQL queries without direct output, potentially allowing unauthorized data access. This is fixed in version 0.16.10.

CVSS

No CVSS.

References

Link	Resource
https://github.com/humhub/cfiles/pull/252
https://github.com/humhub/cfiles/releases/tag/v0.16.10
https://github.com/humhub/cfiles/security/advisories/GHSA-rfvq-g9rm-pgqj

Configurations

No configuration.

History

04 Aug 2025, 15:06

Type	Values Removed	Values Added
Summary		(es) Files es un módulo para gestionar archivos dentro de espacios y perfiles de usuario. En las versiones 0.16.9 y anteriores, Files no cuenta con lógica para evitar la explotación de consultas SQL de backend sin salida directa, lo que podría permitir el acceso no autorizado a los datos. Esto se solucionó en la versión 0.16.10.

02 Aug 2025, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-02 00:15

Updated : 2025-08-04 15:06

NVD link : CVE-2025-54790

Mitre link : CVE-2025-54790

CVE.ORG link : CVE-2025-54790

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-54790", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-02T00:15:26.360", "references": [{"url": "https://github.com/humhub/cfiles/pull/252", "source": "security-advisories@github.com"}, {"url": "https://github.com/humhub/cfiles/releases/tag/v0.16.10", "source": "security-advisories@github.com"}, {"url": "https://github.com/humhub/cfiles/security/advisories/GHSA-rfvq-g9rm-pgqj", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, Files does not have logic to prevent the exploitation of backend SQL queries without direct output, potentially allowing unauthorized data access. This is fixed in version 0.16.10."}, {"lang": "es", "value": "Files es un m\u00f3dulo para gestionar archivos dentro de espacios y perfiles de usuario. En las versiones 0.16.9 y anteriores, Files no cuenta con l\u00f3gica para evitar la explotaci\u00f3n de consultas SQL de backend sin salida directa, lo que podr\u00eda permitir el acceso no autorizado a los datos. Esto se solucion\u00f3 en la versi\u00f3n 0.16.10."}], "lastModified": "2025-08-04T15:06:15.833", "sourceIdentifier": "security-advisories@github.com"}