Files: Potential for SQL Injection through File Browse and List...

9.2 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Description

Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, Files does not have logic to prevent the exploitation of backend SQL queries without direct output, potentially allowing unauthorized data access. This is fixed in version 0.16.10.

Basic Information

ID CVE-2025-54790

Source GitHub_M

Published Aug 1, 2025 at 23:37

Modified Aug 4, 2025 at 15:22

Affected Product

Vendor humhub

Product cfiles

Version < 0.16.10

Affected Versions humhub cfiles < 0.16.10

CWE Classification

CWE-89

References

{
    "lastseen": "",
    "description": "Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, Files does not have logic to prevent the exploitation of backend SQL queries without direct output, potentially allowing unauthorized data access. This is fixed in version 0.16.10.",
    "published": "2025-08-01T23:37:23.353Z",
    "modified": "2025-08-04T15:22:29.986Z",
    "type": "cve",
    "title": "Files: Potential for SQL Injection through File Browse and List Operations",
    "source": "GitHub_M",
    "references": "https://github.com/humhub/cfiles/security/advisories/GHSA-rfvq-g9rm-pgqj\nhttps://github.com/humhub/cfiles/pull/252\nhttps://github.com/humhub/cfiles/releases/tag/v0.16.10",
    "id": "CVE-2025-54790",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "humhub cfiles < 0.16.10",
    "sourceHref": "",
    "cvss": {
        "score": 9.2,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cfiles",
    "version": "< 0.16.10",
    "vendor": "humhub",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Files: Potential for SQL Injection through File Browse and List Operations_CVE-2025-54790