Multiple vulnerabilities in Flexense products
Posted date 20/01/2026
Identificador
INCIBE-2026-040
Importance
4 - High
Affected Resources
- Sync Breeze Enterprise Server v10.4.18;
- Disk Pulse Enterprise v10.4.18.
Description
INCIBE has coordinated the publication of 11 vulnerabilities: 5 high severity and 6 medium severity, affecting Flexense's Sync Breeze Enterprise Server and Disk Pulse Enterprise, solutions for file synchronization and disk monitoring. The vulnerabilities were discovered by Rafael Pedrero.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:
- From CVE-2025-59891 to CVE-2025-59894: CVSS v4.0: 8.5 | CVSS AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE- 352
- CVE-2025-59895: CVSS v4.0: 8.2 | CVSS AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N | CWE- 20
- From CVE-2025-59896 to CVE-2025-59900: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE- 79
- CVE-2025-59901: CVSS v4.0: 4.8 | CVSS AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE- 352
Solution
No solution has been reported at this time.
Detail
- Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request:
- CVE-2025-59891: change a user's password or create users via '/setup_login?sid=', affecting the 'username', 'password', and 'cpassword' parameters.
- CVE-2025-59892: delete commands individually via '/delete_command?sid=', using the 'cid' parameter.
- CVE-2025-59893: rename commands via '/rename_command?sid=', affecting the 'command_name' parameter.
- CVE-2025-59894: Delete all commands via '/delete_all_commands?sid='.
- CVE-2025-59895: Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a remote denial-of-service (DoS) vulnerability in the configuration restore functionality. The issue is due to insufficient validation of user-supplied data during this process. An attacker could send malicious requests to alter the configuration file, causing the application to become unresponsive. In a successful scenario, the service may not recover on its own and require a complete reinstallation, as the configuration becomes corrupted and prevents the service from restarting, even manually.
- Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in various parameters via POST requests:
- CVE-2025-59896: '/add_command?sid=', affecting the 'command_name' parameter.
- CVE-2025-59897: '/edit_command?sid=', affecting the 'source_dir' and ‘dest_dir’ parameters.
- CVE-2025-59898: '/add_exclude_dir?sid=', affecting the 'exclude_dir' parameter.
- CVE-2025-59899: '/server_options?sid=', affecting the 'tasks_logs_dir', 'errors_logs_dir', 'error_notifications_address', 'status_notifications_address', and 'status_reports_address' parameters.
- CVE-2025-59900: '/rename_command?sid=', affecting the 'command_name' parameter.
- CVE-2025-59901: Disk Pulse Enterprise v10.4.18 has an authenticated reflected XSS vulnerability in the '/monitor_directory?sid=' endpoint, caused by insufficient validation of the 'monitor_directory' parameter sent by POST. An attacker could exploit this weakness to send malicious content to an authenticated user and steal information from their session.
CVE
Explotación
No
References list
Etiquetas
