Summary: A critical vulnerability, designated CVE-2025-1782, has been found in the HylaFAX Enterprise Web Interface and AvantFAX due to improper sanitization of a language form element. This flaw allows attackers with valid user accounts to execute arbitrary commands on the web server. Users are urged to upgrade to corrected versions to mitigate risks associated with this vulnerability, which has a CVSS base score of 9.9.
Affected: HylaFAX Enterprise Web Interface and AvantFAX
Keypoints :
- Vulnerability identified as CVE-2025-1782, affecting multiple versions of both software.
- All installs are vulnerable, allowing command execution by authenticated attackers.
- Corrected versions are available: HylaFAX (1.3.2, 1.2.1) and AvantFAX (3.4.1).
- It is recommended to only accept user-provided language values from a predefined list.
- Users are strongly advised to update immediately due to the high severity of the vulnerability.
Source: https://securityonline.info/critical-rce-vulnerability-affects-hylafax-and-avantfax/