CVE-2025-35112
BaseFortify
Publication date: 2025-08-26
Last updated on: 2026-04-29
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| atlassian | agiloft | From 19 (inc) to 31 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an XML External Entities (XXE) issue in Agiloft Release 28 that affects any table allowing 'import/export' functionality. An authenticated attacker can exploit this by importing a specially crafted template file, which enables them to perform path traversal on local system files, potentially accessing sensitive data on the server.
How can this vulnerability impact me? :
The vulnerability can allow an authenticated attacker to access local system files through path traversal, which may lead to unauthorized disclosure of sensitive information stored on the server. This could compromise the confidentiality of data and potentially affect system integrity depending on the accessed files.
What immediate steps should I take to mitigate this vulnerability?
Users should upgrade to Agiloft Release 31 to mitigate this vulnerability.