Product

HylaFAX Enterprise Web Interface / AvantFAX

Summary

Unsanitized language form field allowing remote code execution

Nature of Advisory

Remote code execution

Susceptibility

All installs are vulnerable to attackers with a valid user account.

Severity

Major

Exploits Known

No

Reported On

Feb 21, 2025

Reported By

Fabian Beskow

Posted On

Apr 8, 2025

Last Updated On

Apr 8, 2025

Advisory Contact

patrice.fournier AT ifax DOT com

CVE Name

CVE-2025-1782

CVSS 3.1 Base Value

9.9

CVSS 3.1 Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-94

Description

The language form element is not properly sanitized before being used and can be misused to include an arbitrary file in the PHP code allowing an attacker to do anything as the web server user. Requires attacker to be authenticated with a valid user account.

Resolution

Only accept user provided language value from a list of available languages.

Affected Versions

Product

Release Series

HylaFAX Enterprise Web Interface

1.3.x

1.3.1,1.3.0

HylaFAX Enterprise Web Interface

1.2.x

1.2.0

HylaFAX Enterprise Web Interface

0.x

All releases

AvantFAX

3.4.x

3.4.0

AvantFAX

3.3.x

All releases

AvantFAX

<3.3.0

All releases

Corrected In

Product

Release

HylaFAX Enterprise Web Interface

1.3.2

HylaFAX Enterprise Web Interface

1.2.1

AvantFAX

3.4.1

This document may be superseded by later versions; if so, the latest version will be posted at https://www.ifax.com/security/CVE-2025-1728.html

Revision History

Date

Editor

Revisions Made

Apr 8, 2025

Patrice Fournier

Initial revision