PT-2025-23022 · Sscms · Sscms
Published
2025-05-27
·
Updated
2025-05-29
·
CVE-2025-45529
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
SSCMS version 7.3.1
Description
The issue allows attackers to read arbitrary files by sending a crafted GET request to the "/cms/templates/templatesAssetsEditor" API endpoint, exploiting a flaw in the
ReadTextAsynchronous function.Recommendations
For SSCMS version 7.3.1, consider restricting access to the
/cms/templates/templatesAssetsEditor API endpoint until a patch is available. As a temporary workaround, disabling the ReadTextAsynchronous function may help mitigate the risk of exploitation.Exploit
Fix
Files Accessible to External Parties
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sscms