CVE-2025-24291
BaseFortify
Publication date: 2025-06-19
Last updated on: 2025-06-23
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Versa Director SD-WAN orchestration platform's file upload functionality. The Java code that handles file uploads has an argument injection flaw, which allows an attacker to append extra arguments to the file name. This bypasses the MIME type validation, enabling the attacker to upload arbitrary file types, including potentially malicious files, onto the system.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to upload malicious files to the system by bypassing MIME type checks. This could lead to unauthorized code execution or compromise of the system's integrity and confidentiality. The CVSS score indicates a high impact on confidentiality and integrity, though availability is not affected.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the Versa Director SD-WAN orchestration platform to one of the remediated software versions provided by Versa Networks. There are no workarounds to disable the GUI option that allows file uploads.