lsfusion platform DownloadFileRequestHandler.java DownloadFileRequestHandler path traversal_CVE-2025-13261

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

Description

A vulnerability was found in lsfusion platform up to 6.1. Affected is the function DownloadFileRequestHandler of the file web-client/src/main/java/lsfusion/http/controller/file/DownloadFileRequestHandler.java. Performing manipulation of the argument Version results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used.

Basic Information

ID CVE-2025-13261

Source VulDB

Published Nov 17, 2025 at 03:32

Affected Product

Vendor lsfusion

Product platform

Version 6.0

Affected Versions lsfusion platform 6.0
lsfusion platform 6.1

CWE Classification

CWE-22

References

{
    "lastseen": "",
    "description": "A vulnerability was found in lsfusion platform up to 6.1. Affected is the function DownloadFileRequestHandler of the file web-client/src/main/java/lsfusion/http/controller/file/DownloadFileRequestHandler.java. Performing manipulation of the argument Version results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used.",
    "published": "2025-11-17T03:32:05.193Z",
    "modified": "2025-11-17T03:32:05.193Z",
    "type": "cve",
    "title": "lsfusion platform DownloadFileRequestHandler.java DownloadFileRequestHandler path traversal",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.332596\nhttps://vuldb.com/?ctiid.332596\nhttps://vuldb.com/?submit.689412\nhttps://github.com/lsfusion/platform/issues/1543\nhttps://github.com/lsfusion/platform/issues/1543#issue-3576922131",
    "id": "CVE-2025-13261",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "lsfusion platform 6.0\nlsfusion platform 6.1",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "platform",
    "version": "6.0",
    "vendor": "lsfusion",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}