Multiple vulnerabilities in e-management of e-solutions
All versions of e-management.
INCIBE has coordinated the publication of 2 vulnerabilities, one of critical severity and one of high severity, affecting e-management of e-solutions, a network management and monitoring suite, which have been discovered by Konrad Kowal Karp.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability.
- CVE-2025-3021: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. | CWE-22
- CVE-2025-3022: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. | CWE-78
There is no reported solution at this time.
CVE-2025-3021: Path Traversal vulnerability in e-solutions e-management. This vulnerability could allow an attacker to access confidential files outside the expected scope via the ‘file’ parameter in the /downloadReport.php endpoint.
CVE-2025-3022: Operating system command injection vulnerability in e-solutions e-management. This vulnerability allows an attacker to execute arbitrary commands on the server via the ‘client’ parameter in the /data/apache/e-management/api/api3.php endpoint.
