Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities by SYNCPILOT
CVE-2025-2306 (GCVE-0-2025-2306)
Vulnerability from cvelistv5 – Published: 2025-05-16 12:10 – Updated: 2025-05-16 13:02
VLAI
Title
Improper Access Control vulnerability in LIVE CONTRACT
Summary
An Improper Access Control vulnerability was
identified in the file download functionality. This vulnerability allows users
to download sensitive documents without authentication, if the URL is known.
The attack
requires the attacker to know the documents UUIDv4.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SYNCPILOT | LIVE CONTRACT |
Affected:
3 , < 5.4.12
(semver)
Affected: 5.5 , < 5.5.4 (semver) Affected: 5.6 , < 5.6.3 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2306",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-16T13:02:34.088925Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T13:02:39.876Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LIVE CONTRACT",
"vendor": "SYNCPILOT",
"versions": [
{
"lessThan": "5.4.12",
"status": "affected",
"version": "3",
"versionType": "semver"
},
{
"lessThan": "5.5.4",
"status": "affected",
"version": "5.5",
"versionType": "semver"
},
{
"lessThan": "5.6.3",
"status": "affected",
"version": "5.6",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Felix Schmid \u003cfelix.schmid@cirosec.de\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn Improper Access Control vulnerability was\nidentified in the file download functionality. This vulnerability allows users\nto download sensitive documents without authentication, if the URL is known.\u003c/p\u003e\n\n\u003cp\u003eThe attack\nrequires the attacker to know the documents UUIDv4.\u003c/p\u003e"
}
],
"value": "An Improper Access Control vulnerability was\nidentified in the file download functionality. This vulnerability allows users\nto download sensitive documents without authentication, if the URL is known.\n\n\n\nThe attack\nrequires the attacker to know the documents UUIDv4."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T12:10:13.895Z",
"orgId": "a341c0d1-ebf7-493f-a84e-38cf86618674",
"shortName": "cirosec"
},
"references": [
{
"url": "https://www.cirosec.de/sa/sa-2025-004"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to versions\u0026nbsp;5.4.12, 5.5.4, 5.6.3 or higher."
}
],
"value": "Update to versions\u00a05.4.12, 5.5.4, 5.6.3 or higher."
}
],
"source": {
"advisory": "SA-2025-004",
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-04T23:00:00.000Z",
"value": "Vendor was contacted and informed about the vulnerability via email."
},
{
"lang": "en",
"time": "2025-03-04T23:00:00.000Z",
"value": "Initial response received from vendor. Vendor acknowledged the vulnerability."
},
{
"lang": "en",
"time": "2025-03-12T23:00:00.000Z",
"value": "Vendor informed us that the issue was resolved."
}
],
"title": "Improper Access Control vulnerability in LIVE CONTRACT",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a341c0d1-ebf7-493f-a84e-38cf86618674",
"assignerShortName": "cirosec",
"cveId": "CVE-2025-2306",
"datePublished": "2025-05-16T12:10:13.895Z",
"dateReserved": "2025-03-14T12:24:19.522Z",
"dateUpdated": "2025-05-16T13:02:39.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2305 (GCVE-0-2025-2305)
Vulnerability from cvelistv5 – Published: 2025-05-16 12:09 – Updated: 2025-05-16 13:04
VLAI
Title
Local file inclusion vulnerability in LIVE CONTRACT
Summary
A Path traversal vulnerability in the file
download functionality was identified. This vulnerability allows
unauthenticated users to download arbitrary files, in the context of the
application server, from the Linux server.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SYNCPILOT | LIVE CONTRACT |
Affected:
3 , < 5.4.12
(semver)
Affected: 5.5 , < 5.5.4 (semver) Affected: 5.6 , < 5.6.3 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2305",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-16T13:04:19.139164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T13:04:26.030Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LIVE CONTRACT",
"vendor": "SYNCPILOT",
"versions": [
{
"lessThan": "5.4.12",
"status": "affected",
"version": "3",
"versionType": "semver"
},
{
"lessThan": "5.5.4",
"status": "affected",
"version": "5.5",
"versionType": "semver"
},
{
"lessThan": "5.6.3",
"status": "affected",
"version": "5.6",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Felix Schmid \u003cfelix.schmid@cirosec.de\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA Path traversal vulnerability in the file\ndownload functionality was identified. This vulnerability allows\nunauthenticated users to download arbitrary files, in the context of the\napplication server, from the Linux server.\u003c/p\u003e"
}
],
"value": "A Path traversal vulnerability in the file\ndownload functionality was identified. This vulnerability allows\nunauthenticated users to download arbitrary files, in the context of the\napplication server, from the Linux server."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T12:09:41.347Z",
"orgId": "a341c0d1-ebf7-493f-a84e-38cf86618674",
"shortName": "cirosec"
},
"references": [
{
"url": "https://www.cirosec.de/sa/sa-2025-003"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to versions\u0026nbsp;5.4.12, 5.5.4, 5.6.3 or higher."
}
],
"value": "Update to versions\u00a05.4.12, 5.5.4, 5.6.3 or higher."
}
],
"source": {
"advisory": "SA-2025-004",
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-04T23:00:00.000Z",
"value": "Vendor was contacted and informed about the vulnerability via email."
},
{
"lang": "en",
"time": "2025-03-04T23:00:00.000Z",
"value": "Initial response received from vendor. Vendor acknowledged the vulnerability."
},
{
"lang": "en",
"time": "2025-03-12T23:00:00.000Z",
"value": "Vendor informed us that the issue was resolved."
}
],
"title": "Local file inclusion vulnerability in LIVE CONTRACT",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a341c0d1-ebf7-493f-a84e-38cf86618674",
"assignerShortName": "cirosec",
"cveId": "CVE-2025-2305",
"datePublished": "2025-05-16T12:09:41.347Z",
"dateReserved": "2025-03-14T12:24:17.830Z",
"dateUpdated": "2025-05-16T13:04:26.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2306 (GCVE-0-2025-2306)
Vulnerability from nvd – Published: 2025-05-16 12:10 – Updated: 2025-05-16 13:02
VLAI
Title
Improper Access Control vulnerability in LIVE CONTRACT
Summary
An Improper Access Control vulnerability was
identified in the file download functionality. This vulnerability allows users
to download sensitive documents without authentication, if the URL is known.
The attack
requires the attacker to know the documents UUIDv4.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SYNCPILOT | LIVE CONTRACT |
Affected:
3 , < 5.4.12
(semver)
Affected: 5.5 , < 5.5.4 (semver) Affected: 5.6 , < 5.6.3 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2306",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-16T13:02:34.088925Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T13:02:39.876Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LIVE CONTRACT",
"vendor": "SYNCPILOT",
"versions": [
{
"lessThan": "5.4.12",
"status": "affected",
"version": "3",
"versionType": "semver"
},
{
"lessThan": "5.5.4",
"status": "affected",
"version": "5.5",
"versionType": "semver"
},
{
"lessThan": "5.6.3",
"status": "affected",
"version": "5.6",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Felix Schmid \u003cfelix.schmid@cirosec.de\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn Improper Access Control vulnerability was\nidentified in the file download functionality. This vulnerability allows users\nto download sensitive documents without authentication, if the URL is known.\u003c/p\u003e\n\n\u003cp\u003eThe attack\nrequires the attacker to know the documents UUIDv4.\u003c/p\u003e"
}
],
"value": "An Improper Access Control vulnerability was\nidentified in the file download functionality. This vulnerability allows users\nto download sensitive documents without authentication, if the URL is known.\n\n\n\nThe attack\nrequires the attacker to know the documents UUIDv4."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T12:10:13.895Z",
"orgId": "a341c0d1-ebf7-493f-a84e-38cf86618674",
"shortName": "cirosec"
},
"references": [
{
"url": "https://www.cirosec.de/sa/sa-2025-004"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to versions\u0026nbsp;5.4.12, 5.5.4, 5.6.3 or higher."
}
],
"value": "Update to versions\u00a05.4.12, 5.5.4, 5.6.3 or higher."
}
],
"source": {
"advisory": "SA-2025-004",
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-04T23:00:00.000Z",
"value": "Vendor was contacted and informed about the vulnerability via email."
},
{
"lang": "en",
"time": "2025-03-04T23:00:00.000Z",
"value": "Initial response received from vendor. Vendor acknowledged the vulnerability."
},
{
"lang": "en",
"time": "2025-03-12T23:00:00.000Z",
"value": "Vendor informed us that the issue was resolved."
}
],
"title": "Improper Access Control vulnerability in LIVE CONTRACT",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a341c0d1-ebf7-493f-a84e-38cf86618674",
"assignerShortName": "cirosec",
"cveId": "CVE-2025-2306",
"datePublished": "2025-05-16T12:10:13.895Z",
"dateReserved": "2025-03-14T12:24:19.522Z",
"dateUpdated": "2025-05-16T13:02:39.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2305 (GCVE-0-2025-2305)
Vulnerability from nvd – Published: 2025-05-16 12:09 – Updated: 2025-05-16 13:04
VLAI
Title
Local file inclusion vulnerability in LIVE CONTRACT
Summary
A Path traversal vulnerability in the file
download functionality was identified. This vulnerability allows
unauthenticated users to download arbitrary files, in the context of the
application server, from the Linux server.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SYNCPILOT | LIVE CONTRACT |
Affected:
3 , < 5.4.12
(semver)
Affected: 5.5 , < 5.5.4 (semver) Affected: 5.6 , < 5.6.3 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2305",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-16T13:04:19.139164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T13:04:26.030Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LIVE CONTRACT",
"vendor": "SYNCPILOT",
"versions": [
{
"lessThan": "5.4.12",
"status": "affected",
"version": "3",
"versionType": "semver"
},
{
"lessThan": "5.5.4",
"status": "affected",
"version": "5.5",
"versionType": "semver"
},
{
"lessThan": "5.6.3",
"status": "affected",
"version": "5.6",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Felix Schmid \u003cfelix.schmid@cirosec.de\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA Path traversal vulnerability in the file\ndownload functionality was identified. This vulnerability allows\nunauthenticated users to download arbitrary files, in the context of the\napplication server, from the Linux server.\u003c/p\u003e"
}
],
"value": "A Path traversal vulnerability in the file\ndownload functionality was identified. This vulnerability allows\nunauthenticated users to download arbitrary files, in the context of the\napplication server, from the Linux server."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T12:09:41.347Z",
"orgId": "a341c0d1-ebf7-493f-a84e-38cf86618674",
"shortName": "cirosec"
},
"references": [
{
"url": "https://www.cirosec.de/sa/sa-2025-003"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to versions\u0026nbsp;5.4.12, 5.5.4, 5.6.3 or higher."
}
],
"value": "Update to versions\u00a05.4.12, 5.5.4, 5.6.3 or higher."
}
],
"source": {
"advisory": "SA-2025-004",
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-04T23:00:00.000Z",
"value": "Vendor was contacted and informed about the vulnerability via email."
},
{
"lang": "en",
"time": "2025-03-04T23:00:00.000Z",
"value": "Initial response received from vendor. Vendor acknowledged the vulnerability."
},
{
"lang": "en",
"time": "2025-03-12T23:00:00.000Z",
"value": "Vendor informed us that the issue was resolved."
}
],
"title": "Local file inclusion vulnerability in LIVE CONTRACT",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a341c0d1-ebf7-493f-a84e-38cf86618674",
"assignerShortName": "cirosec",
"cveId": "CVE-2025-2305",
"datePublished": "2025-05-16T12:09:41.347Z",
"dateReserved": "2025-03-14T12:24:17.830Z",
"dateUpdated": "2025-05-16T13:04:26.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}