| TVN ID | TVN-202510004 |
|---|---|
| CVE ID | CVE-2025-11898, CVE-2025-11899 |
| CVSS | CVE-2025-11898: 7.5 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2025-11899: 8.1 (High) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Affected Products | Agentflow 4.0 |
| Description | CVE-2025-11898(Arbitrary File Reading): Unauthenticated remote attackers can exploit Relative Path Traversal to download arbitrary system files. CVE-2025-11899(Use of Hard-coded Cryptographic Key): Unauthenticated remote attackers can exploit the fixed key to generate verification information, thereby logging into the system as any user. Attacker must first obtain an user ID to exploit this vulnerability. |
| Solution | Vendor has released the patch. Available through CRM. |
| Credit | Linwz(DEVCORE) |
| Public Date | 2025-10-17 |
:::