Multiple vulnerabilities in appRain CMF

Posted date 04/09/2025
Identificador
INCIBE-2025-0473
Importance
4 - High
Affected Resources
  • appRain CMF, 4.0.5 version.
Description

INCIBE has coordinated the publication of 32 vulnerabilities, 4 of high severity and 28 of medium severity, affecting appRain CMF (Content Management Framework). The vulnerabilities were discovered by Rafael Pedrero.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:

  • from CVE-2025-41032 to CVE-2025-41034: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
  • CVE-2025-41035: CVSS v4.0: 7.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-22
  • from CVE-2025-41036 to CVE-2025-41061: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
  • from CVE-2025-41062 to CVE-2025-41063: CVSS v4.0: 4.8 | CVSS AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution

No solution has been reported at this time. 

Detail
  • An SQL injection vulnerability has been found in appRain CMF 4.0.5. This vulnerability allows an attacker to retrieve, create, update, and delete the database. The list of parameters and assigned identifiers is as follows:
    • CVE-2025-41032: 'data%5BAdmin%5D%5Busername%5D' parameter in /apprain/admin/manage/add/.
    • CVE-2025-41033: 'data%5BPage%5D%5Bname%5D' parameter in /apprain/page/manage-dynamic-pages/create.
    • CVE-2025-41034: 'data%5BPage%5D%5Bname%5D' parameter in /apprain/page/manage-static-pages/create/.
  • CVE-2025-41035: a problem has been discovered in appRain CMF 4.0.5. An authenticated Path Traversal vulnerability in /apprain/common/download/ allows remote users to bypass the intended SecurityManager restrictions and download any file if they have adequate permissions outside the document root configured on the server via the base64 path after /download/.
  • A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input. The list of parameters and assigned identifiers is as follows:
    • CVE-2025-41036: 'data[Admin][description]', 'data[Admin][f_name]' and 'data[Admin][l_name]' parameters in /apprain/admin/account/edit.
    • CVE-2025-41037: 'data[FileManager][search]' parameter in  /apprain/admin/filemanager.
    • CVE-2025-41038: 'data[Group][name]' parameter in /apprain/admin/managegroup/add/.
    • CVE-2025-41039: 'data[sconfig][admin_landing_page]', 'data[sconfig][currency]', 'data[sconfig][db_version]', 'data[sconfig][default_pagination]', 'data[sconfig][emailsetup_from_email]', 'data[sconfig][emailsetup_host]', 'data[sconfig][emailsetup_password]', 'data[sconfig][emailsetup_port]', 'data[sconfig][emailsetup_username]', 'data[sconfig][fileresource_id]', 'data[sconfig][large_image_height]', 'data[sconfig][large_image_width]' and 'data[sconfig][time_zone_padding]' parameters in /apprain/admin/config/opts.
    • 'data[code]', 'data[lang][0][key]', 'data[lang][0][value]', 'data[lang][1][key]' and 'data[title]' parameters in:
      • CVE-2025-41040: /apprain/developer/language/lipsum.xml.
      • CVE-2025-41041: /apprain/developer/language/default.xml.
    • CVE-2025-41042: 'data[Option][message]', 'data[Option][subject]' and 'data[Option][templatetype]' parameters in /apprain/information/manage/emailtemplate/add.
    • CVE-2025-41043: 'data[AppReportCode][id]' and 'data[AppReportCode][name]' parameters in /apprain/appreport/manage/.
    • CVE-2025-41044: 'data[Page][name]' parameter in /apprain/page/manage-static-pages/create.
    • CVE-2025-41045: 'data[sconfig][ethical_licensekey]' parameter in /apprain/admin/config/ethical.
    • 'data[Addon][layouts]' and 'data[Addon][layouts_except]' parameters in:
      • CVE-2025-41046: /apprain/developer/addons/update/960grid.
      • CVE-2025-41047: /apprain/developer/addons/update/ace.
      • CVE-2025-41048: /apprain/developer/addons/update/admin.
      • CVE-2025-41049: /apprain/developer/addons/update/appform.
      • CVE-2025-41050: /apprain/developer/addons/update/base_libs.
      • CVE-2025-41051: /apprain/developer/addons/update/bootstrap.
      • CVE-2025-41052: /apprain/developer/addons/update/canvasjs.
      • CVE-2025-41053: /apprain/developer/addons/update/commonresource.
      • CVE-2025-41054: /apprain/developer/addons/update/cycle.
      • CVE-2025-41055: /apprain/developer/addons/update/dialogs.
      • CVE-2025-41056: /apprain/developer/addons/update/hysontable.
      • CVE-2025-41057: /apprain/developer/addons/update/rich_text_editor.
      • CVE-2025-41058: /apprain/developer/addons/update/row_manager.
      • CVE-2025-41059: /apprain/developer/addons/update/tablesorter.
      • CVE-2025-41060: /apprain/developer/addons/update/tree.
      • CVE-2025-41061: /apprain/developer/addons/update/uploadify.
  • A vulnerability has been discovered in version 4.0.5 of appRain CMF, consisting of an authenticated reflected XSS due to a lack of proper validation of user input. The list of parameters and assigned identifiers is as follows:
    • CVE-2025-41062: 'page' parameter in /apprain/developer/addons.
    • CVE-2025-41063: 's' parameter in /apprain/developer/debug-log/db.
CVE
Explotación
No
References list
Etiquetas