OS Command Injection via Path Traversal in WaveStore Server

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to execute arbitrary OS commands on the server using path traversal in the showerr script.

This issue was fixed in version 6.44.44

AI Analysis

OS Command Injection via Path Traversal vulnerability in WaveStore Server allows malicious attackers with high privileges to execute arbitrary OS commands

Basic Information

ID CVE-2025-65074

Source CERT-PL

Published Dec 16, 2025 at 12:25

Affected Product

Vendor WaveStore

Product WaveStore Server

Affected Versions WaveStore WaveStore Server 0

CWE Classification

CWE-22 CWE-78

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor WaveStore

Product WaveStore Server

Version < 6.44.44

References

{
    "lastseen": "",
    "description": "WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server.\u00a0A malicious attacker with high-privileges is able to execute arbitrary OS commands on the server using path traversal in the\u00a0showerr script.\n\nThis issue was fixed in version 6.44.44",
    "published": "2025-12-16T12:25:15.751Z",
    "modified": "2025-12-16T12:25:15.751Z",
    "type": "cve",
    "title": "OS Command Injection via Path Traversal in WaveStore Server",
    "source": "CERT-PL",
    "references": "https://cert.pl/en/posts/2025/12/CVE-2025-65074\nhttps://www.wavestore.com/products/video-management-software",
    "id": "CVE-2025-65074",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "WaveStore WaveStore Server 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WaveStore Server",
    "version": "0",
    "vendor": "WaveStore",
    "ai_description": "OS Command Injection via Path Traversal vulnerability in WaveStore Server allows malicious attackers with high privileges to execute arbitrary OS commands",
    "ai_severity": "High",
    "ai_vendor": "WaveStore",
    "ai_product": "WaveStore Server",
    "ai_version": "< 6.44.44",
    "ai_score": 8.6
}

OS Command Injection via Path Traversal in WaveStore Server_CVE-2025-65074