Search criteria
3 vulnerabilities by Sparx Systems
CVE-2025-4377 (GCVE-0-2025-4377)
Vulnerability from cvelistv5 – Published: 2025-05-09 05:12 – Updated: 2025-05-09 13:22
VLAI?
Summary
Improper Limitation of a Pathname caused a Path Traversal vulnerability in Sparx Systems Pro Cloud Server.
This vulnerability is present in logview.php and it allows reading arbitrary files on the filesystem.
Logview is accessible on Pro Cloud Server Configuration interface.
This issue affects Pro Cloud Server: earlier than 6.0.165.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Sparx Systems | Pro Cloud Server |
Affected:
0 , ≤ 6.0.163
(PCS)
Unaffected: 6.0.165 (PCS) |
Credits
Santeri Siirilä
Mikko Korpi
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4377",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-09T13:22:04.482705Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-09T13:22:16.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://sparxsystems.com/products/procloudserver/",
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Pro Cloud Server",
"programFiles": [
"logview.php"
],
"vendor": "Sparx Systems",
"versions": [
{
"lessThanOrEqual": "6.0.163",
"status": "affected",
"version": "0",
"versionType": "PCS"
},
{
"status": "unaffected",
"version": "6.0.165",
"versionType": "PCS"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Santeri Siiril\u00e4"
},
{
"lang": "en",
"type": "finder",
"value": "Mikko Korpi"
}
],
"datePublic": "2025-05-05T06:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eImproper Limitation of a Pathname caused a Path Traversal vulnerability in Sparx Systems Pro Cloud Server.\u003c/div\u003e\u003cdiv\u003eThis vulnerability is present in \u003ctt\u003elogview.php\u003c/tt\u003e and it allows reading arbitrary files on the filesystem.\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eLogview is accessible on Pro Cloud Server Configuration interface. \u003cbr\u003e\u003c/div\u003e\u003cp\u003eThis issue affects Pro Cloud Server: earlier than 6.0.165.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname caused a Path Traversal vulnerability in Sparx Systems Pro Cloud Server.\n\nThis vulnerability is present in logview.php and it allows reading arbitrary files on the filesystem.\u00a0\n\nLogview is accessible on Pro Cloud Server Configuration interface. \n\n\nThis issue affects Pro Cloud Server: earlier than 6.0.165."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126: Path Traversal"
}
]
},
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139: Relative Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-09T05:12:59.487Z",
"orgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
"shortName": "NCSC-FI"
},
"references": [
{
"url": "https://sparxsystems.com/products/procloudserver/6.1/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Path traversal vulnerability in Sparx Pro Cloud Server WebEA webconfig in logview.php",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
"assignerShortName": "NCSC-FI",
"cveId": "CVE-2025-4377",
"datePublished": "2025-05-09T05:12:59.487Z",
"dateReserved": "2025-05-06T05:21:12.322Z",
"dateUpdated": "2025-05-09T13:22:16.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4376 (GCVE-0-2025-4376)
Vulnerability from cvelistv5 – Published: 2025-05-09 05:12 – Updated: 2025-05-09 13:23
VLAI?
Summary
Improper Input Validation vulnerability in Sparx Systems Pro Cloud Server's WebEA model search field allows Cross-Site Scripting (XSS).
This issue affects Pro Cloud Server: earlier than 6.0.165.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Sparx Systems | Pro Cloud Server |
Affected:
0 , ≤ 6.0.164
(PCS)
Unaffected: 6.0.165 (PCS) |
Credits
Santeri Siirilä
Mikko Korpi
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4376",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-09T13:23:39.641885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-09T13:23:45.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://sparxsystems.com/products/procloudserver/",
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Pro Cloud Server",
"vendor": "Sparx Systems",
"versions": [
{
"lessThanOrEqual": "6.0.164",
"status": "affected",
"version": "0",
"versionType": "PCS"
},
{
"status": "unaffected",
"version": "6.0.165",
"versionType": "PCS"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Santeri Siiril\u00e4"
},
{
"lang": "en",
"type": "finder",
"value": "Mikko Korpi"
}
],
"datePublic": "2025-05-05T06:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Sparx Systems Pro Cloud Server\u0027s WebEA model search field allows Cross-Site Scripting (XSS). \u003cbr\u003e\u003cp\u003eThis issue affects Pro Cloud Server: earlier than 6.0.165.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Sparx Systems Pro Cloud Server\u0027s WebEA model search field allows Cross-Site Scripting (XSS). \nThis issue affects Pro Cloud Server: earlier than 6.0.165."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-09T05:12:54.145Z",
"orgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
"shortName": "NCSC-FI"
},
"references": [
{
"url": "https://sparxsystems.com/products/procloudserver/6.1/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-Site Scripting vulnerability in Model Search in Pro Cloud Server\u0027s WebEA",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
"assignerShortName": "NCSC-FI",
"cveId": "CVE-2025-4376",
"datePublished": "2025-05-09T05:12:54.145Z",
"dateReserved": "2025-05-06T05:21:10.663Z",
"dateUpdated": "2025-05-09T13:23:45.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4375 (GCVE-0-2025-4375)
Vulnerability from cvelistv5 – Published: 2025-05-09 05:12 – Updated: 2025-05-09 13:24
VLAI?
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Sparx Systems Pro Cloud Server allows Cross-Site Request Forgery to perform Session Hijacking. Cross-Site Request Forgery is present at the whole application but it can be used to change the Pro Cloud Server Configuration password.
This issue affects Pro Cloud Server: earlier than 6.0.165.
Severity ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Sparx Systems | Pro Cloud Server |
Affected:
0 , ≤ 6.0.14
(PCS)
Unaffected: 6.0.165 (PCS) |
Credits
Santeri Siirilä
Mikko Korpi
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4375",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-09T13:24:15.312416Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-09T13:24:21.744Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://sparxsystems.com/products/procloudserver/",
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Pro Cloud Server",
"vendor": "Sparx Systems",
"versions": [
{
"lessThanOrEqual": "6.0.14",
"status": "affected",
"version": "0",
"versionType": "PCS"
},
{
"status": "unaffected",
"version": "6.0.165",
"versionType": "PCS"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Santeri Siiril\u00e4"
},
{
"lang": "en",
"type": "finder",
"value": "Mikko Korpi"
}
],
"datePublic": "2025-05-05T06:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Sparx Systems Pro Cloud Server allows Cross-Site Request Forgery to perform Session Hijacking. Cross-Site Request Forgery is present at the whole application but it can be used to change the Pro Cloud Server Configuration password. \u003cbr\u003e\u003cp\u003eThis issue affects Pro Cloud Server: earlier than 6.0.165.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Sparx Systems Pro Cloud Server allows Cross-Site Request Forgery to perform Session Hijacking. Cross-Site Request Forgery is present at the whole application but it can be used to change the Pro Cloud Server Configuration password. \nThis issue affects Pro Cloud Server: earlier than 6.0.165."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
},
{
"capecId": "CAPEC-593",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-593 Session Hijacking"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-09T05:12:48.610Z",
"orgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
"shortName": "NCSC-FI"
},
"references": [
{
"url": "https://sparxsystems.com/products/procloudserver/6.1/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-Site Request Forgery vulnerability in Pro Cloud Server\u0027s WebEA",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
"assignerShortName": "NCSC-FI",
"cveId": "CVE-2025-4375",
"datePublished": "2025-05-09T05:12:48.610Z",
"dateReserved": "2025-05-06T05:21:08.411Z",
"dateUpdated": "2025-05-09T13:24:21.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}