CVE-2025-60786
BaseFortify
Publication date: 2025-12-15
Last updated on: 2025-12-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kagilum | icescrum | to 7.54 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-60786 is a Zip Slip vulnerability in the project import feature of iceScrum v7.54 Pro On-prem. It occurs because the software improperly sanitizes file paths when extracting user-uploaded ZIP files. Attackers can craft malicious ZIP archives containing directory traversal sequences (like "../") that allow files to be extracted outside the intended directory. This enables attackers to write arbitrary files anywhere on the server filesystem, potentially leading to remote code execution and other malicious actions. [1]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to remote code execution, allowing attackers to run arbitrary code on the server. Other impacts include tampering with configuration files, disrupting services, and exfiltrating sensitive data. Since iceScrum allows self-registration by default, any self-registered user can exploit this vulnerability via the import feature, increasing the risk and severity of attacks. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for attempts to upload ZIP files via the project import feature that contain directory traversal sequences such as "../" in file paths. Since the vulnerability involves extracting crafted ZIP files, inspecting uploaded ZIP archives for suspicious paths is key. Specific commands are not provided in the resources, but administrators can check uploaded ZIP contents manually or with scripts that scan for directory traversal patterns. Network monitoring for unusual POST requests to the import endpoint may also help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the official security patches provided by iceScrum for versions up to 7.5.4. If patches are not yet available, disabling the project import feature temporarily is recommended to prevent exploitation. Additionally, restricting self-registration or limiting access to the import functionality can reduce risk. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how the CVE-2025-60786 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.