CVE Updates (August 4 – 10, 2025)

Here are the CVE updates for the week of August 4 through the 10th.

🔴 Critical Severity Vulnerabilities

Path Traversal in Assemblyline 4 Service Client Allows Arbitrary File Write | CVE-2025-55013

Description:
Assemblyline 4 Service Client, which interacts with the API to fetch tasks and publish results, contains a path traversal flaw in versions below 4.6.1.dev138. In the task_handler.py component, the client accepts a SHA-256 value from the service server and directly uses it as a local file name without sanitization or validation. Therefore, a malicious or compromised server — or even a man-in-the-middle (MITM) attacker — can return a crafted payload like ../../../etc/cron.d/evil. This action may overwrite critical files or plant malicious executables, leading to system compromise.

Potential Impacts:

• Arbitrary File Write: Overwrite sensitive system files, configuration files, or binaries.
• Privilege Escalation: Inject malicious cron jobs or scripts for execution with elevated privileges.
• Persistence: Deploy backdoors or maintain long-term access to the compromised system.
• Service Disruption: Corrupt application or system files to cause denial of service.

Mitigation Recommendations:

• Update Assemblyline 4 Service Client: Upgrade to 4.6.1.dev138 or later.
• Input Validation: Apply strict sanitization and validation for file name inputs.
• Restrict File System Permissions: Run with least privileges and limit write access.
• Monitor and Audit: Check logs for unusual file writes and unauthorized cron entries.

Stack-Based Buffer Overflow in Simple Web Server 2.2 rc2 via Connection Header | CVE-2012-10053

Description:
Simple Web Server 2.2 rc2 suffers from a stack-based buffer overflow in its processing of the Connection HTTP header. Because the server uses vsprintf() without bounds checking, an overly long string can overwrite memory on the stack. Since this occurs before authentication, attackers can exploit it remotely without prior access. As a result, exploitation can lead to arbitrary code execution with the server process’s privileges.

Potential Impacts:

• Remote Code Execution (RCE): Full compromise of the server process.
• Denial of Service (DoS): Server crash from memory corruption.
• Privilege Escalation: Gain higher-level access if the server runs with elevated privileges.

Mitigation Recommendations:

• Update or Replace the Server: Migrate to a secure, maintained web server.
• Apply Bounds Checking: Use safe functions like vsnprintf() with size limits.
• Deploy a Web Application Firewall (WAF): Block requests with excessively long headers.
• Run with Least Privileges: Use a low-privilege account for the server.
• Network Segmentation: Restrict external access where possible.

Arbitrary File Upload in CuteFlow ≤ 2.11.2 | CVE-2012-10050

Description:
CuteFlow versions 2.11.2 and earlier fail to validate or restrict uploaded file types in restart_circulation_values_write.php. Because uploaded files are stored in /upload/___1/ and are web-accessible, attackers can upload malicious PHP files and execute them remotely without authentication. This flaw grants complete control over the server.

Potential Impacts:

• Remote Code Execution (RCE): Full server compromise.
• Website Defacement: Alter site content or insert malicious scripts.
• Data Theft or Manipulation: Read, modify, or delete sensitive files and database content.
• Pivoting: Launch further attacks inside the network.

Mitigation Recommendations:

• Update CuteFlow: Patch to a secure version.
• Restrict File Types: Allow only safe formats like PDF, JPG, PNG.
• Use Randomized Filenames and Non-Web-Accessible Upload Folders.
• Apply Web Server Hardening: Disable execution permissions in upload directories.
• Deploy a WAF: Block suspicious uploads.

Unauthenticated Command Injection in ESVA | CVE-2012-10046

Description:
The E-Mail Security Virtual Appliance (ESVA) — tested on version ESVA_2057 — contains an unauthenticated command injection flaw in learn-msg.cgi. The id parameter is not sanitized, allowing attackers to inject arbitrary shell commands. Since no login is required, an attacker can execute commands with the web server’s privileges immediately after connecting.

Potential Impacts:

• Remote Code Execution (RCE): Full system compromise without authentication.
• Data Theft or Manipulation: Steal or alter sensitive email and system data.
• Service Disruption: Disable email filtering functions.
• Lateral Movement: Use the compromised appliance to attack internal systems.

Mitigation Recommendations:

• Patch/Upgrade: Install a fixed version.
• Input Validation: Sanitize and validate the id parameter.
• Restrict Network Access: Allow management interface only from trusted hosts.
• Use a WAF: Detect and block command injection attempts.
• Monitor Logs: Watch for suspicious activity in learn-msg.cgi.

Unauthenticated Arbitrary File Creation in MobileCartly | CVE-2012-10044

Description:
MobileCartly 1.0 does not check authentication before using file_put_contents() in savepage.php with attacker-supplied parameters. Because attackers can specify both the filename and content, they can create arbitrary files in /pages/ or other writable directories. If executable scripts are uploaded, remote code execution becomes possible.

Potential Impacts:

• Remote Code Execution (RCE): Execute malicious PHP scripts.
• Website Defacement: Alter site content.
• Data Theft: Steal credentials or sensitive information.
• Privilege Escalation: Establish persistent access.

Mitigation Recommendations:

• Apply a Patch: Update to a secure version.
• Enforce Authentication: Require login before file creation.
• Restrict File Types: Block executable uploads in web-accessible paths.
• Directory Permissions: Limit write access to critical locations.
• Monitor and Audit: Check logs for suspicious file creation requests.

🟠 High Severity Vulnerabilities

D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability (CISA KEV) | CVE-2020-25078: Certain D-Link camera models, including DCS-2530L (before firmware 1.06.01 Hotfix) and DCS-2670L (through firmware 2.02), have an information disclosure flaw. The unauthenticated /config/getuser endpoint is accessible remotely without credentials. Consequently, an attacker can retrieve the administrator password in plaintext and gain immediate control.

D-Link DCS-2530L and DCS-2670L Command Injection Vulnerability (CISA KEV) | CVE-2020-25079: An authenticated command injection vulnerability exists in the cgi-bin/ddns_enc.cgi endpoint of these cameras. Because the input is not properly handled, authenticated attackers can execute arbitrary system commands with the privileges of the web server process, leading to full device compromise.

D-Link DNR-322L Download of Code Without Integrity Check Vulnerability (CISA KEV) | CVE-2022-40799: The “Backup Config” feature of D-Link DNR-322L devices running firmware version 2.60B15 and earlier fails to validate or sanitize configuration data. As a result, authenticated attackers can inject and execute operating system commands with full privileges.

Authentication Bypass in Fedify Allows Complete Actor Impersonation | CVE-2025-54888: Fedify, a Fedify, a TypeScript library for building ActivityPub-based federated applications, processes activities before verifying that the signing key belongs to the claimed actor. Consequently, an unauthenticated attacker can impersonate any actor by signing activities with their own keys.

🟡 Medium Severity Vulnerabilities

Path Traversal in Tiny-Scientist Allows Arbitrary PDF File Access | CVE-2025-55149: Tiny-Scientist contains a path traversal vulnerability in versions 0.1.1 and below. Specifically, the flaw in review_paper allows attackers to read arbitrary PDF files by bypassing directory restrictions through crafted paths.

Remote Code Execution in Craft CMS via /updater/restore-db Endpoint Bypassing CVE-2025-23209 | CVE-2025-54417: Craft CMS is vulnerable in certain versions to a bypass that enables RCE when the security key is compromised and a file is placed in /storage/backups. An attacker can then trigger command execution via the /updater/restore-db endpoint.

SQL Injection in OpenMetadata | CVE-2025-50468: SQL Injection in OpenMetadata | CVE-2025-50468: OpenMetadata versions 1.4.4 and below have a SQL injection flaw in listCount. The entityType parameter is unsanitized, allowing attackers to manipulate queries and potentially exfiltrate sensitive data.