CVE-2025-8450 (GCVE-0-2025-8450)

Vulnerability from cvelistv5 – Published: 2025-08-19 18:01 – Updated: 2025-08-29 20:09
VLAI?
Title
Unrestricted File Upload in FileCatalyst
Summary
Improper Access Control issue in the Workflow component of Fortra's FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page.
Severity ?
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
  • CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
Vendor Product Version
Fortra FileCatalyst Affected: 5.1.6 , ≤ 5.2.0 Build 80 (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-8450",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-19T18:29:37.440894Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-19T18:30:00.515Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows",
            "MacOS",
            "Linux"
          ],
          "product": "FileCatalyst",
          "vendor": "Fortra",
          "versions": [
            {
              "lessThanOrEqual": "5.2.0 Build 80",
              "status": "affected",
              "version": "5.1.6",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Access Control issue in the Workflow component of Fortra\u0027s FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page."
            }
          ],
          "value": "Improper Access Control issue in the Workflow component of Fortra\u0027s FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-563",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-563 Add Malicious File to Shared Webroot"
            }
          ]
        },
        {
          "capecId": "CAPEC-650",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-650 Upload a Web Shell to a Web Server"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306 Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-29T20:09:24.656Z",
        "orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
        "shortName": "Fortra"
      },
      "references": [
        {
          "url": "https://www.fortra.com/security/advisories/product-security/fi-2025-010"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to the latest version of FileCatalyst, Version 5.2.0 - Build 130"
            }
          ],
          "value": "Update to the latest version of FileCatalyst, Version 5.2.0 - Build 130"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Unrestricted File Upload in FileCatalyst",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
    "assignerShortName": "Fortra",
    "cveId": "CVE-2025-8450",
    "datePublished": "2025-08-19T18:01:14.137Z",
    "dateReserved": "2025-07-31T21:30:46.989Z",
    "dateUpdated": "2025-08-29T20:09:24.656Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-8450\",\"sourceIdentifier\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\",\"published\":\"2025-08-19T18:15:29.540\",\"lastModified\":\"2025-08-29T20:15:35.203\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Access Control issue in the Workflow component of Fortra\u0027s FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page.\"},{\"lang\":\"es\",\"value\":\"Un problema de control de acceso inadecuado en el componente de flujo de trabajo de FileCatalyst de Fortra permite que usuarios no autenticados carguen archivos arbitrarios a trav\u00e9s de la p\u00e1gina de formularios de pedido.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"},{\"lang\":\"en\",\"value\":\"CWE-434\"}]}],\"references\":[{\"url\":\"https://www.fortra.com/security/advisories/product-security/fi-2025-010\",\"source\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-8450\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-19T18:29:37.440894Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-19T18:29:44.341Z\"}}], \"cna\": {\"title\": \"Unrestricted File Upload in FileCatalyst\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-563\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-563 Add Malicious File to Shared Webroot\"}]}, {\"capecId\": \"CAPEC-650\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-650 Upload a Web Shell to a Web Server\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Fortra\", \"product\": \"FileCatalyst\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.1.6\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.2.0 Build 80\"}], \"platforms\": [\"Windows\", \"MacOS\", \"Linux\"], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update to the latest version of FileCatalyst, Version 5.2.0 - Build 130\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Update to the latest version of FileCatalyst, Version 5.2.0 - Build 130\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.fortra.com/security/advisories/product-security/fi-2025-010\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Access Control issue in the Workflow component of Fortra\u0027s FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Improper Access Control issue in the Workflow component of Fortra\u0027s FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-434\", \"description\": \"CWE-434 Unrestricted Upload of File with Dangerous Type\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306 Missing Authentication for Critical Function\"}]}], \"providerMetadata\": {\"orgId\": \"df4dee71-de3a-4139-9588-11b62fe6c0ff\", \"shortName\": \"Fortra\", \"dateUpdated\": \"2025-08-29T20:09:24.656Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-8450\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-29T20:09:24.656Z\", \"dateReserved\": \"2025-07-31T21:30:46.989Z\", \"assignerOrgId\": \"df4dee71-de3a-4139-9588-11b62fe6c0ff\", \"datePublished\": \"2025-08-19T18:01:14.137Z\", \"assignerShortName\": \"Fortra\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.