Unrestricted uploading of dangerous file types to AvePoint products

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Unrestricted file upload vulnerability in DocAve 6.13.2, Perimeter 1.12.3, Compliance Guardian 4.7.1, and earlier versions, allowing administrator users to upload files without proper validation. An attacker could exploit this vulnerability by uploading malicious files that compromise the system. In addition, it is vulnerable to Path Traversal, which allows files to be written to arbitrary directories within the web root.

Basic Information

ID CVE-2025-10544

Source INCIBE

Published Sep 26, 2025 at 09:51

Affected Product

Vendor AvePoint

Product DocAve

Version 6.13.2

Affected Versions AvePoint DocAve 6.13.2
AvePoint Perimeter 1.12.3
AvePoint Compliance Guardian 0

CWE Classification

CWE-434

References

www.incibe.es /en/incibe-cert/notices/aviso/unrestricted-uploading-dangerous-file-types-avepoint-products

{
    "lastseen": "",
    "description": "Unrestricted file upload vulnerability in DocAve 6.13.2, Perimeter 1.12.3, Compliance Guardian 4.7.1, and earlier versions, allowing administrator users to upload files without proper validation. An attacker could exploit this vulnerability by uploading malicious files that compromise the system. In addition, it is vulnerable to Path Traversal, which allows files to be written to arbitrary directories within the web root.",
    "published": "2025-09-26T09:51:12.104Z",
    "modified": "2025-09-26T09:51:12.104Z",
    "type": "cve",
    "title": "Unrestricted uploading of dangerous file types to AvePoint products",
    "source": "INCIBE",
    "references": "https://www.incibe.es/en/incibe-cert/notices/aviso/unrestricted-uploading-dangerous-file-types-avepoint-products",
    "id": "CVE-2025-10544",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "AvePoint DocAve 6.13.2\nAvePoint Perimeter 1.12.3\nAvePoint Compliance Guardian 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "DocAve",
    "version": "6.13.2",
    "vendor": "AvePoint",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Unrestricted uploading of dangerous file types to AvePoint products_CVE-2025-10544