CVE-2025-32807

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions: FusionDirectory versions prior to 1.5

Description: A path traversal vulnerability in FusionDirectory allows remote attackers to read arbitrary files on the host that end with .png (and .svg or .xpm for some configurations) via the icon parameter of a GET request to "geticon.php".

Recommendations: For versions prior to 1.5, update to version 1.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "geticon.php" endpoint or disabling the icon parameter until a patch is applied.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-24

Related Identifiers

CVE-2025-32807

Affected Products

Debian

Fusiondirectory

CVE-2025-32807

Weakness Enumeration

Related Identifiers

Affected Products

References · 17