CVE-2025-36857
BaseFortify
Publication date: 2025-09-25
Last updated on: 2025-12-11
Assigner: Rapid7, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rapid7 | appspider_pro | to 7.5.021 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Rapid7 Appspider Pro versions below 7.5.021 is a broken access control issue in the application's configuration file loading mechanism. It allows an attacker to place files in directories belonging to other users or projects. Since the application loads configuration files in alphabetical order, an attacker can add custom configuration files that override or change the settings of the original configuration files, leading to a security risk. The root cause is improper directory access management.
How can this vulnerability impact me? :
The vulnerability can allow a standard user to modify or override configuration settings of other users or projects by placing malicious configuration files. This can lead to unauthorized changes in application behavior or security settings, potentially compromising the integrity of the application environment.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Rapid7 Appspider Pro to version 7.5.021 or later, as this version remediates the broken access control vulnerability in the configuration file loading mechanism.