CVE-2025-59793

Name of the Vulnerable Software and Affected Versions Rocket TRUfusion Enterprise versions through 7.10.5

Description Rocket TRUfusion Enterprise through version 7.10.5 exposes the /axis2/services/WsPortalV6UpDwAxis2Impl endpoint to authenticated users, allowing file uploads. The application does not properly sanitize the jobDirectory parameter, enabling the inclusion of path traversal sequences. This allows writing files to arbitrary local filesystem locations, potentially leading to remote code execution. The vulnerability can be chained with the default password 'trubiquity' and exploited through Server-Side Request Forgery (SSRF) to reach internal applications, such as Keycloak instances.

Recommendations Versions prior to 7.10.5 are affected.