CVE-2025-35055

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Newforma Info Exchange (NIX) versions prior to 2023.1

Description Newforma Info Exchange (NIX) contains a flaw in the /UserWeb/Common/UploadBlueimp.ashx API endpoint that allows an authenticated attacker to upload arbitrary files to any location writable by the NIX application. This can lead to the execution of a web shell or other executable content by the web server, as well as the deletion of directories. In versions prior to 2023.1, anonymous access is enabled by default, allowing unauthenticated attackers to exploit this file upload issue by effectively authenticating as 'anonymous'. The vulnerable parameter is not specified.

Recommendations Versions prior to 2023.1 should be updated to version 2023.1 or later.

Fix

RCE

Path traversal

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-434

Related Identifiers

CVE-2025-35055

Affected Products

Newforma Info Exchange

CVE-2025-35055

Weakness Enumeration

Related Identifiers

Affected Products

References · 9