CVE-2025-0473

Name of the Vulnerable Software and Affected Versions PMB Platform versions 4.0.10 and above

Description The issue exists in the file upload functionality on the /pmb/authorities/import/iimport authorities endpoint. When a file is uploaded via this resource, the server creates a temporary file that will be deleted after the client sends a POST request to /pmb/authorities/import/iimport authorities. However, an attacker can trap and launch the second POST request to prevent the temporary file from being deleted. This allows an attacker to persist temporary files on the server.

Recommendations For PMB Platform versions 4.0.10 and above, as a temporary workaround, consider restricting access to the /pmb/authorities/import/iimport authorities endpoint to minimize the risk of exploitation. Additionally, avoid using the file upload functionality until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.