PT-2025-48076 · Unknown · Unform Server
Jan Rodriguez
+1
·
Published
2025-11-25
·
Updated
2025-11-28
·
CVE-2025-34350
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
UnForm Server versions prior to 10.1.15
Description
UnForm Server versions prior to 10.1.15 have an unauthenticated arbitrary file read and SMB coercion issue in the Doc Flow feature’s
arc endpoint. The Doc Flow module uses the arc handler to retrieve and render pages or resources specified by the pp parameter without authentication or path restrictions. This allows an unauthenticated remote attacker to read arbitrary files accessible to the service account by supplying local filesystem paths. On Windows, providing a UNC path can coerce the server into initiating outbound SMB authentication, potentially exposing NTLM credentials for offline cracking or relay.Recommendations
Update UnForm Server to version 10.1.15 or later.
Fix
Path traversal
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Unform Server