CVE-2025-66955
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk19th percentile - higher than 19% of all known CVEs
Summary
Local File Inclusion vulnerability in Contact Plan, E-Mail, SMS and Fax components of Asseco SEE Live 2.0 allows remote authenticated users to access files on the host via the "path" parameter in downloadAttachment and downloadAttachmentFromPath API calls.
Risk Assessment
The organization is at risk of unauthorized reading of sensitive system files, potentially leading to disclosure of configuration data, passwords, or other confidential information.
Recommendation
Immediately update Asseco SEE Live 2.0 to the latest patched version and restrict API access to trusted users only.
Original NVD description (English source)
Local File Inclusion in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote authenticated users to access files on the host via "path" parameter in the downloadAttachment and downloadAttachmentFromPath API calls.

