Path Traversal vulnerability in appRain CMF_CVE-2025-41035

7.1 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

A problem has been discovered in appRain CMF 4.0.5. An authenticated Path Traversal vulnerability in /apprain/common/download/ allows remote users to bypass the intended SecurityManager restrictions and download any file if they have adequate permissions outside the document root configured on the server via the base64 path after /download/.

Basic Information

ID CVE-2025-41035

Source INCIBE

Published Sep 4, 2025 at 11:07

Affected Product

Vendor appRain

Product appRain CMF

Version 4.0.5

Affected Versions appRain appRain CMF 4.0.5

CWE Classification

CWE-22

References

www.incibe.es /en/incibe-cert/notices/aviso/multiple-vulnerabilities-apprain-cmf

{
    "lastseen": "",
    "description": "A problem has been discovered in appRain CMF 4.0.5. An authenticated Path Traversal vulnerability in /apprain/common/download/ allows remote users to bypass the intended SecurityManager restrictions and download any file if they have adequate permissions outside the document root configured on the server via the base64 path after /download/.",
    "published": "2025-09-04T11:07:48.351Z",
    "modified": "2025-09-04T11:07:48.351Z",
    "type": "cve",
    "title": "Path Traversal vulnerability in appRain CMF",
    "source": "INCIBE",
    "references": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-apprain-cmf",
    "id": "CVE-2025-41035",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "appRain appRain CMF 4.0.5",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "appRain CMF",
    "version": "4.0.5",
    "vendor": "appRain",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}