Multiple vulnerabilities in appRain CMF
Posted date 04/09/2025
Identificador
INCIBE-2025-0473
Importance
4 - High
Affected Resources
- appRain CMF, 4.0.5 version.
Description
INCIBE has coordinated the publication of 32 vulnerabilities, 4 of high severity and 28 of medium severity, affecting appRain CMF (Content Management Framework). The vulnerabilities were discovered by Rafael Pedrero.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:
- from CVE-2025-41032 to CVE-2025-41034: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
- CVE-2025-41035: CVSS v4.0: 7.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-22
- from CVE-2025-41036 to CVE-2025-41061: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
- from CVE-2025-41062 to CVE-2025-41063: CVSS v4.0: 4.8 | CVSS AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution
No solution has been reported at this time.
Detail
- An SQL injection vulnerability has been found in appRain CMF 4.0.5. This vulnerability allows an attacker to retrieve, create, update, and delete the database. The list of parameters and assigned identifiers is as follows:
- CVE-2025-41032: 'data%5BAdmin%5D%5Busername%5D' parameter in /apprain/admin/manage/add/.
- CVE-2025-41033: 'data%5BPage%5D%5Bname%5D' parameter in /apprain/page/manage-dynamic-pages/create.
- CVE-2025-41034: 'data%5BPage%5D%5Bname%5D' parameter in /apprain/page/manage-static-pages/create/.
- CVE-2025-41035: a problem has been discovered in appRain CMF 4.0.5. An authenticated Path Traversal vulnerability in /apprain/common/download/ allows remote users to bypass the intended SecurityManager restrictions and download any file if they have adequate permissions outside the document root configured on the server via the base64 path after /download/.
- A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input. The list of parameters and assigned identifiers is as follows:
- CVE-2025-41036: 'data[Admin][description]', 'data[Admin][f_name]' and 'data[Admin][l_name]' parameters in /apprain/admin/account/edit.
- CVE-2025-41037: 'data[FileManager][search]' parameter in /apprain/admin/filemanager.
- CVE-2025-41038: 'data[Group][name]' parameter in /apprain/admin/managegroup/add/.
- CVE-2025-41039: 'data[sconfig][admin_landing_page]', 'data[sconfig][currency]', 'data[sconfig][db_version]', 'data[sconfig][default_pagination]', 'data[sconfig][emailsetup_from_email]', 'data[sconfig][emailsetup_host]', 'data[sconfig][emailsetup_password]', 'data[sconfig][emailsetup_port]', 'data[sconfig][emailsetup_username]', 'data[sconfig][fileresource_id]', 'data[sconfig][large_image_height]', 'data[sconfig][large_image_width]' and 'data[sconfig][time_zone_padding]' parameters in /apprain/admin/config/opts.
- 'data[code]', 'data[lang][0][key]', 'data[lang][0][value]', 'data[lang][1][key]' and 'data[title]' parameters in:
- CVE-2025-41040: /apprain/developer/language/lipsum.xml.
- CVE-2025-41041: /apprain/developer/language/default.xml.
- CVE-2025-41042: 'data[Option][message]', 'data[Option][subject]' and 'data[Option][templatetype]' parameters in /apprain/information/manage/emailtemplate/add.
- CVE-2025-41043: 'data[AppReportCode][id]' and 'data[AppReportCode][name]' parameters in /apprain/appreport/manage/.
- CVE-2025-41044: 'data[Page][name]' parameter in /apprain/page/manage-static-pages/create.
- CVE-2025-41045: 'data[sconfig][ethical_licensekey]' parameter in /apprain/admin/config/ethical.
- 'data[Addon][layouts]' and 'data[Addon][layouts_except]' parameters in:
- CVE-2025-41046: /apprain/developer/addons/update/960grid.
- CVE-2025-41047: /apprain/developer/addons/update/ace.
- CVE-2025-41048: /apprain/developer/addons/update/admin.
- CVE-2025-41049: /apprain/developer/addons/update/appform.
- CVE-2025-41050: /apprain/developer/addons/update/base_libs.
- CVE-2025-41051: /apprain/developer/addons/update/bootstrap.
- CVE-2025-41052: /apprain/developer/addons/update/canvasjs.
- CVE-2025-41053: /apprain/developer/addons/update/commonresource.
- CVE-2025-41054: /apprain/developer/addons/update/cycle.
- CVE-2025-41055: /apprain/developer/addons/update/dialogs.
- CVE-2025-41056: /apprain/developer/addons/update/hysontable.
- CVE-2025-41057: /apprain/developer/addons/update/rich_text_editor.
- CVE-2025-41058: /apprain/developer/addons/update/row_manager.
- CVE-2025-41059: /apprain/developer/addons/update/tablesorter.
- CVE-2025-41060: /apprain/developer/addons/update/tree.
- CVE-2025-41061: /apprain/developer/addons/update/uploadify.
- A vulnerability has been discovered in version 4.0.5 of appRain CMF, consisting of an authenticated reflected XSS due to a lack of proper validation of user input. The list of parameters and assigned identifiers is as follows:
- CVE-2025-41062: 'page' parameter in /apprain/developer/addons.
- CVE-2025-41063: 's' parameter in /apprain/developer/debug-log/db.
CVE
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41032
Severidad
Alta
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41033
Severidad
Alta
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41034
Severidad
Alta
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41035
Severidad
Alta
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41036
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41037
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41038
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41039
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41040
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41041
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41042
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41043
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41044
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41045
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41046
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41047
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41048
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41049
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41050
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41051
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41052
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41053
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41054
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41055
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41056
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41057
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41058
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41059
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41060
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41061
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41062
Severidad
Media
Explotación
No
Nuevo Fabricante
CMF
Identificador CVE
CVE-2025-41063
Severidad
Media
References list
Etiquetas