216.73.217.64

CVE-2025-35052

· Published 09/10/2025 21:15 · Modified 09/10/2025 21:15

Labels: CVE-2025-35052 2025-10-099119a7d8-5eab-497f-8521-727c672e3725CVE-2025-35052CWE-321

Essential information

Published
09/10/2025 21:15
Modified
09/10/2025 21:15
Author
Creator
CVSS
6.3 MEDIUM (v3) 6.3 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Newforma Info Exchange (NIX) uses a hard-coded key to encrypt certain query parameters. Some encrypted parameter values can specify paths to download files, potentially bypassing authentication and authorization, for example, the 'qs' parameter used in '/DownloadWeb/download.aspx'. This key is shared across NIX installations. NIX 2023.3 and 2024.1 limit the use of hard-coded keys.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
9119a7d8-5eab-497f-8521-727c672e3725
NVD
View on NVD

Affected products (CPE)

ProductCPE
newforma / newforma info exchange cpe:2.3:a:newforma:newforma_info_exchange:2023.3:*:*:*:*:*:*:*
newforma / newforma info exchange cpe:2.3:a:newforma:newforma_info_exchange:2024.1:*:*:*:*:*:*:*

References