Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities found for Fess by codelibs
CVE-2026-8211 (GCVE-0-2026-8211)
Vulnerability from nvd – Published: 2026-05-09 22:15 – Updated: 2026-05-11 15:10
VLAI
Title
codelibs Fess JSP File AdminDesignAction.java update code injection
Summary
A vulnerability was detected in codelibs Fess up to 15.5.1. Affected by this issue is the function update of the file org/codelibs/fess/app/web/admin/design/AdminDesignAction.java of the component JSP File Handler. The manipulation of the argument content results in code injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/362419 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/362419/cti | signaturepermissions-required |
| https://vuldb.com/submit/804293 | third-party-advisory |
| https://bv3acdnplbr.feishu.cn/docx/Kk1tdEAfAoV6kZ… | exploit |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8211",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:09:50.181220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:10:14.644Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"JSP File Handler"
],
"product": "Fess",
"vendor": "codelibs",
"versions": [
{
"status": "affected",
"version": "15.5.0"
},
{
"status": "affected",
"version": "15.5.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "R1ckyZ (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in codelibs Fess up to 15.5.1. Affected by this issue is the function update of the file org/codelibs/fess/app/web/admin/design/AdminDesignAction.java of the component JSP File Handler. The manipulation of the argument content results in code injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T22:15:38.888Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-362419 | codelibs Fess JSP File AdminDesignAction.java update code injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/362419"
},
{
"name": "VDB-362419 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/362419/cti"
},
{
"name": "Submit #804293 | CodeLibs Fess 15.5.1 Arbitrary File Write",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/804293"
},
{
"tags": [
"exploit"
],
"url": "https://bv3acdnplbr.feishu.cn/docx/Kk1tdEAfAoV6kZxVozUc8UA4nog?from=from_copylink"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-09T08:14:51.000Z",
"value": "VulDB entry last update"
}
],
"title": "codelibs Fess JSP File AdminDesignAction.java update code injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-8211",
"datePublished": "2026-05-09T22:15:38.888Z",
"dateReserved": "2026-05-09T06:09:47.025Z",
"dateUpdated": "2026-05-11T15:10:14.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48382 (GCVE-0-2025-48382)
Vulnerability from nvd – Published: 2025-05-27 04:32 – Updated: 2025-05-27 14:34
VLAI
Title
Fess has Insecure Temporary File Permissions
Summary
Fess is a deployable Enterprise Search Server. Prior to version 14.19.2, the createTempFile() method in org.codelibs.fess.helper.SystemHelper creates temporary files without explicitly setting restrictive permissions. This could lead to potential information disclosure, allowing unauthorized local users to access sensitive data contained in these files. This issue primarily affects environments where Fess is deployed in a shared or multi-user context. Typical single-user or isolated deployments have minimal or negligible practical impact. This issue has been patched in version 14.19.2. A workaround for this issue involves ensuring local access to the environment running Fess is restricted to trusted users only.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/codelibs/fess/security/advisor… | x_refsource_CONFIRM |
| https://github.com/codelibs/fess/commit/25b2009fe… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48382",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-27T14:29:19.520363Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T14:34:38.199Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fess",
"vendor": "codelibs",
"versions": [
{
"status": "affected",
"version": "\u003c 14.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fess is a deployable Enterprise Search Server. Prior to version 14.19.2, the createTempFile() method in org.codelibs.fess.helper.SystemHelper creates temporary files without explicitly setting restrictive permissions. This could lead to potential information disclosure, allowing unauthorized local users to access sensitive data contained in these files. This issue primarily affects environments where Fess is deployed in a shared or multi-user context. Typical single-user or isolated deployments have minimal or negligible practical impact. This issue has been patched in version 14.19.2. A workaround for this issue involves ensuring local access to the environment running Fess is restricted to trusted users only."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 1.2,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T04:32:23.804Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/codelibs/fess/security/advisories/GHSA-g88v-2j67-9rmx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/codelibs/fess/security/advisories/GHSA-g88v-2j67-9rmx"
},
{
"name": "https://github.com/codelibs/fess/commit/25b2009fea2a0f6ccd5aa8154aa54b536c08f6c4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/codelibs/fess/commit/25b2009fea2a0f6ccd5aa8154aa54b536c08f6c4"
}
],
"source": {
"advisory": "GHSA-g88v-2j67-9rmx",
"discovery": "UNKNOWN"
},
"title": "Fess has Insecure Temporary File Permissions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48382",
"datePublished": "2025-05-27T04:32:23.804Z",
"dateReserved": "2025-05-19T15:46:00.397Z",
"dateUpdated": "2025-05-27T14:34:38.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000822 (GCVE-0-2018-1000822)
Vulnerability from nvd – Published: 2018-12-20 15:00 – Updated: 2024-09-17 00:36
VLAI
Summary
codelibs fess version before commit faa265b contains a XML External Entity (XXE) vulnerability in GSA XML file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via specially crafted GSA XML files. This vulnerability appears to have been fixed in after commit faa265b.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://0dd.zone/2018/10/27/fess-XXE/ | x_refsource_MISC |
| https://github.com/codelibs/fess/issues/1851 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:47:57.176Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://0dd.zone/2018/10/27/fess-XXE/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/codelibs/fess/issues/1851"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-11-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "codelibs fess version before commit faa265b contains a XML External Entity (XXE) vulnerability in GSA XML file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via specially crafted GSA XML files. This vulnerability appears to have been fixed in after commit faa265b."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-20T15:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://0dd.zone/2018/10/27/fess-XXE/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/codelibs/fess/issues/1851"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-11-27T13:54:33.460601",
"DATE_REQUESTED": "2018-10-28T03:39:47",
"ID": "CVE-2018-1000822",
"REQUESTER": "sajeeb@0dd.zone",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "codelibs fess version before commit faa265b contains a XML External Entity (XXE) vulnerability in GSA XML file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via specially crafted GSA XML files. This vulnerability appears to have been fixed in after commit faa265b."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://0dd.zone/2018/10/27/fess-XXE/",
"refsource": "MISC",
"url": "https://0dd.zone/2018/10/27/fess-XXE/"
},
{
"name": "https://github.com/codelibs/fess/issues/1851",
"refsource": "MISC",
"url": "https://github.com/codelibs/fess/issues/1851"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000822",
"datePublished": "2018-12-20T15:00:00.000Z",
"dateReserved": "2018-12-20T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:36:37.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-8211 (GCVE-0-2026-8211)
Vulnerability from cvelistv5 – Published: 2026-05-09 22:15 – Updated: 2026-05-11 15:10
VLAI
Title
codelibs Fess JSP File AdminDesignAction.java update code injection
Summary
A vulnerability was detected in codelibs Fess up to 15.5.1. Affected by this issue is the function update of the file org/codelibs/fess/app/web/admin/design/AdminDesignAction.java of the component JSP File Handler. The manipulation of the argument content results in code injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/362419 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/362419/cti | signaturepermissions-required |
| https://vuldb.com/submit/804293 | third-party-advisory |
| https://bv3acdnplbr.feishu.cn/docx/Kk1tdEAfAoV6kZ… | exploit |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8211",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:09:50.181220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:10:14.644Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"JSP File Handler"
],
"product": "Fess",
"vendor": "codelibs",
"versions": [
{
"status": "affected",
"version": "15.5.0"
},
{
"status": "affected",
"version": "15.5.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "R1ckyZ (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in codelibs Fess up to 15.5.1. Affected by this issue is the function update of the file org/codelibs/fess/app/web/admin/design/AdminDesignAction.java of the component JSP File Handler. The manipulation of the argument content results in code injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T22:15:38.888Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-362419 | codelibs Fess JSP File AdminDesignAction.java update code injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/362419"
},
{
"name": "VDB-362419 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/362419/cti"
},
{
"name": "Submit #804293 | CodeLibs Fess 15.5.1 Arbitrary File Write",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/804293"
},
{
"tags": [
"exploit"
],
"url": "https://bv3acdnplbr.feishu.cn/docx/Kk1tdEAfAoV6kZxVozUc8UA4nog?from=from_copylink"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-09T08:14:51.000Z",
"value": "VulDB entry last update"
}
],
"title": "codelibs Fess JSP File AdminDesignAction.java update code injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-8211",
"datePublished": "2026-05-09T22:15:38.888Z",
"dateReserved": "2026-05-09T06:09:47.025Z",
"dateUpdated": "2026-05-11T15:10:14.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48382 (GCVE-0-2025-48382)
Vulnerability from cvelistv5 – Published: 2025-05-27 04:32 – Updated: 2025-05-27 14:34
VLAI
Title
Fess has Insecure Temporary File Permissions
Summary
Fess is a deployable Enterprise Search Server. Prior to version 14.19.2, the createTempFile() method in org.codelibs.fess.helper.SystemHelper creates temporary files without explicitly setting restrictive permissions. This could lead to potential information disclosure, allowing unauthorized local users to access sensitive data contained in these files. This issue primarily affects environments where Fess is deployed in a shared or multi-user context. Typical single-user or isolated deployments have minimal or negligible practical impact. This issue has been patched in version 14.19.2. A workaround for this issue involves ensuring local access to the environment running Fess is restricted to trusted users only.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/codelibs/fess/security/advisor… | x_refsource_CONFIRM |
| https://github.com/codelibs/fess/commit/25b2009fe… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48382",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-27T14:29:19.520363Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T14:34:38.199Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fess",
"vendor": "codelibs",
"versions": [
{
"status": "affected",
"version": "\u003c 14.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fess is a deployable Enterprise Search Server. Prior to version 14.19.2, the createTempFile() method in org.codelibs.fess.helper.SystemHelper creates temporary files without explicitly setting restrictive permissions. This could lead to potential information disclosure, allowing unauthorized local users to access sensitive data contained in these files. This issue primarily affects environments where Fess is deployed in a shared or multi-user context. Typical single-user or isolated deployments have minimal or negligible practical impact. This issue has been patched in version 14.19.2. A workaround for this issue involves ensuring local access to the environment running Fess is restricted to trusted users only."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 1.2,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T04:32:23.804Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/codelibs/fess/security/advisories/GHSA-g88v-2j67-9rmx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/codelibs/fess/security/advisories/GHSA-g88v-2j67-9rmx"
},
{
"name": "https://github.com/codelibs/fess/commit/25b2009fea2a0f6ccd5aa8154aa54b536c08f6c4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/codelibs/fess/commit/25b2009fea2a0f6ccd5aa8154aa54b536c08f6c4"
}
],
"source": {
"advisory": "GHSA-g88v-2j67-9rmx",
"discovery": "UNKNOWN"
},
"title": "Fess has Insecure Temporary File Permissions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48382",
"datePublished": "2025-05-27T04:32:23.804Z",
"dateReserved": "2025-05-19T15:46:00.397Z",
"dateUpdated": "2025-05-27T14:34:38.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000822 (GCVE-0-2018-1000822)
Vulnerability from cvelistv5 – Published: 2018-12-20 15:00 – Updated: 2024-09-17 00:36
VLAI
Summary
codelibs fess version before commit faa265b contains a XML External Entity (XXE) vulnerability in GSA XML file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via specially crafted GSA XML files. This vulnerability appears to have been fixed in after commit faa265b.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://0dd.zone/2018/10/27/fess-XXE/ | x_refsource_MISC |
| https://github.com/codelibs/fess/issues/1851 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:47:57.176Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://0dd.zone/2018/10/27/fess-XXE/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/codelibs/fess/issues/1851"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-11-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "codelibs fess version before commit faa265b contains a XML External Entity (XXE) vulnerability in GSA XML file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via specially crafted GSA XML files. This vulnerability appears to have been fixed in after commit faa265b."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-20T15:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://0dd.zone/2018/10/27/fess-XXE/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/codelibs/fess/issues/1851"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-11-27T13:54:33.460601",
"DATE_REQUESTED": "2018-10-28T03:39:47",
"ID": "CVE-2018-1000822",
"REQUESTER": "sajeeb@0dd.zone",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "codelibs fess version before commit faa265b contains a XML External Entity (XXE) vulnerability in GSA XML file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via specially crafted GSA XML files. This vulnerability appears to have been fixed in after commit faa265b."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://0dd.zone/2018/10/27/fess-XXE/",
"refsource": "MISC",
"url": "https://0dd.zone/2018/10/27/fess-XXE/"
},
{
"name": "https://github.com/codelibs/fess/issues/1851",
"refsource": "MISC",
"url": "https://github.com/codelibs/fess/issues/1851"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000822",
"datePublished": "2018-12-20T15:00:00.000Z",
"dateReserved": "2018-12-20T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:36:37.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}