Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in the PMB platform

Posted date 14/01/2025
Identificador
INCIBE-2025-0012
Importance
5 - Critical
Affected Resources

The following versions of the PMB platform are affected:

  • versions 4.2.13 and below;
  • versions 4.0.10 and above.
Description

INCIBE has coordinated the publication of 3 vulnerabilities: 1 of critical severity, 1 of high severity and 1 of medium severity that affect the PMB platform, which have been discovered by Pau Valls Peleteiro.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2025-0471: CVSS v3.1: 9.9 | CVSS AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | CWE-434.
  • CVE-2025-0472: CVSS v3.1: 7.5 | CVSS AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | CWE-200.
  • CVE-2025-0473: CVSS v3.1: 6.5 | CVSS AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | CWE-459.
Solution

There is no reported solution at this time.

Detail
  • CVE-2025-0471: unrestricted file upload vulnerability in the PMB platform, affecting versions 4.0.10 and above. This vulnerability could allow an attacker to upload a file to gain remote access to the machine, being able to access, modify and execute commands freely.
  • CVE-2025-0472: information exposure in the PMB platform affecting versions 4.2.13 and earlier. This vulnerability allows an attacker to upload a file to the environment and enumerate the internal files of a machine by looking at the request response.
  • CVE-2025-0473: vulnerability in the PMB platform that allows an attacker to persist temporary files on the server, affecting versions 4.0.10 and above. This vulnerability exists in the file upload functionality on the ‘/pmb/authorities/import/iimport_authorities’ endpoint. When a file is uploaded via this resource, the server will create a temporary file that will be deleted after the client sends a POST request to ‘/pmb/authorities/import/iimport_authorities’. This workflow is automated by the web client, however an attacker can trap and launch the second POST request to prevent the temporary file from being deleted.
References list
PMB Platform
Etiquetas