CVE Catalog

CVE-2025-1782

Critical
Published: Translated: NVD NIST

Summary

In the HylaFAX Enterprise Web Interface and AvantFAX, the language form element is not properly sanitized before being used, which can be exploited to include an arbitrary file in the PHP code.

Risk Assessment

This vulnerability allows an authenticated attacker with a valid user account to execute arbitrary actions as the web server user, posing a significant security risk to the system.

Recommendation

It is recommended to implement proper input sanitization mechanisms and review and update the system to mitigate this vulnerability.

Original NVD description (English source)

In HylaFAX Enterprise Web Interface and AvantFAX, the language form element is not properly sanitized before being used and can be misused to include an arbitrary file in the PHP code allowing an attacker to do anything as the web server user. This flaw requires the attacker to be authenticated with a valid user account.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS