CVE-2025-1782
CriticalSummary
In the HylaFAX Enterprise Web Interface and AvantFAX, the language form element is not properly sanitized before being used, which can be exploited to include an arbitrary file in the PHP code.
Risk Assessment
This vulnerability allows an authenticated attacker with a valid user account to execute arbitrary actions as the web server user, posing a significant security risk to the system.
Recommendation
It is recommended to implement proper input sanitization mechanisms and review and update the system to mitigate this vulnerability.
Original NVD description (English source)
In HylaFAX Enterprise Web Interface and AvantFAX, the language form element is not properly sanitized before being used and can be misused to include an arbitrary file in the PHP code allowing an attacker to do anything as the web server user. This flaw requires the attacker to be authenticated with a valid user account.

