Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-66955 is a Local File Inclusion (LFI) vulnerability in the Contact Plan, E-Mail, SMS, and Fax components of Asseco SEE Live 2.0. It allows remote authenticated users to access arbitrary files on the host system by exploiting the "path" parameter in two API calls: downloadAttachment and downloadAttachmentFromPath.'}, {'type': 'paragraph', 'content': 'An attacker with low-level authentication can send specially crafted HTTP POST requests to the /live20/index.php endpoint, specifying the method and the "path" parameter pointing to the target file (for example, /etc/passwd). This enables the attacker to read sensitive files on the server.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to significant information disclosure by allowing attackers to read sensitive files on the server. Since the vulnerability affects confidentiality with a high impact score, attackers could gain access to critical data stored on the host.

Although it does not affect integrity or availability, the exposure of sensitive information could facilitate further exploitation or unauthorized access, potentially compromising the security of the affected system.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for HTTP POST requests to the /live20/index.php endpoint that invoke the methods Email.downloadAttachment or Email.downloadAttachmentFromPath with a "path" parameter pointing to sensitive files.'}, {'type': 'paragraph', 'content': 'A detection approach involves capturing and analyzing network traffic or server logs for suspicious multipart/form-data POST requests containing these parameters.'}, {'type': 'paragraph', 'content': 'Example commands to detect potential exploitation attempts include using curl to simulate the exploit or using network monitoring tools to filter relevant traffic.'}, {'type': 'list_item', 'content': "curl -X POST https://target/live20/index.php -F 'method=Email.downloadAttachment' -F 'path=/etc/passwd' -F 'id=1' -F 'downloadToken=token'"}, {'type': 'list_item', 'content': "tcpdump or Wireshark filters to capture POST requests to /live20/index.php containing 'downloadAttachment' and 'path=' parameters."}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the vulnerable API endpoints to only trusted and authenticated users with the least privileges.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring and blocking suspicious requests that attempt to exploit the "path" parameter can help reduce risk.'}, {'type': 'paragraph', 'content': 'Applying any available patches or updates from Asseco for SEE Live 2.0 is recommended once released.'}, {'type': 'paragraph', 'content': 'As a temporary workaround, consider implementing web application firewall (WAF) rules to block requests containing suspicious path traversal or file inclusion patterns.'}] [1]

Useful 0 Not Useful 0