CVE-2025-1845
Published: 03 March 2025
Description
A vulnerability has been found in ESAFENET DSM 3.1.2 and classified as critical. Affected by this vulnerability is the function examExportPDF of the file /admin/plan/examExportPDF. The manipulation of the argument s leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-1845 is a command injection vulnerability classified as critical in ESAFENET DSM version 3.1.2. The flaw affects the examExportPDF function in the /admin/plan/examExportPDF file, where manipulation of the "s" argument triggers the injection. It is remotely exploitable and has been assigned CWEs CWE-74 and CWE-77, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
An attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity. No user interaction is required, and exploitation leads to limited impacts on confidentiality, integrity, and availability, such as potential execution of arbitrary commands within the context of the affected component.
Advisories from VulDB and GitHub disclosures indicate that the exploit has been publicly released and may be actively used. The vendor was contacted early regarding the issue but provided no response, and no patches or mitigations are mentioned in the available references.
Details
- CWE(s)