216.73.217.50

CVE-2025-35055

· Published 09/10/2025 21:15 · Modified 09/10/2025 21:15

Labels: CVE-2025-35055 2025-10-099119a7d8-5eab-497f-8521-727c672e3725CVE-2025-35055CWE-22

Essential information

Published
09/10/2025 21:15
Modified
09/10/2025 21:15
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Newforma Info Exchange (NIX) '/UserWeb/Common/UploadBlueimp.ashx' allows an authenticated attacker to upload an arbitrary file to any location writable by the NIX application. An attacker can upload and run a web shell or other content executable by the web server. An attacker can also delete directories. In Newforma before 2023.1, anonymous access is enabled by default (CVE-2025-35062), allowing an otherwise unauthenticated attacker to effectively authenticate as 'anonymous' and exploit this file upload vulnerability.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
9119a7d8-5eab-497f-8521-727c672e3725
NVD
View on NVD

Affected products (CPE)

ProductCPE
newforma / newforma info exchange cpe:2.3:a:newforma:newforma_info_exchange:<2023.1:*:*:*:*:*:*:*

References