CVE-2025-1782

EUVD-2025-10912
In HylaFAX Enterprise Web Interface and AvantFAX, the language form element is not properly sanitized 
before being used and can be misused to include an arbitrary file in the
 PHP code allowing an attacker to do anything as the web server user. 
This flaw requires the attacker to be authenticated with a valid user account.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
redhatCNA
9.9 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
ifaxhylafax
𝑥
< 1.2.0
CNA
ifaxhylafax
1.2.0 ≤
𝑥
< 1.2.1
CNA
ifaxhylafax
1.3.0 ≤
𝑥
< 1.3.2
CNA
ifaxhylafax
𝑥
< 3.4.0
CNA
ifaxhylafax
3.4.0 ≤
𝑥
< 3.4.1
CNA
Common Weakness Enumeration
References
https://www.ifax.com/security/CVE-2025-1782.html