CVE-2025-2069 - Vulnerability Details - OpenCVE

A cross-site scripting vulnerability was reported in the FileZ client that could allow execution of code if a crafted url is visited by a local user.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00053.

Exploitation none

Automatable no

Technical Impact total

No data.

No data.

No data.

No data.

References

Link	Providers
https://www.filez.com/securityPolicy/2.html?1744703100

History

Fri, 25 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 25 Apr 2025 15:30:00 +0000

Type	Values Removed	Values Added
Description		A cross-site scripting vulnerability was reported in the FileZ client that could allow execution of code if a crafted url is visited by a local user.
Weaknesses		CWE-79
References		https://www.filez.com/securityPolicy/2.html?1744703100
Metrics		cvssV3_1 `{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: lenovo

Published: 2025-04-25T15:26:55.806Z

Updated: 2025-04-25T16:47:20.616Z

Reserved: 2025-03-06T16:09:24.955Z

Link: CVE-2025-2069

Vulnrichment

Updated: 2025-04-25T16:47:15.565Z

NVD

Status : Deferred

Published: 2025-04-25T16:15:26.020

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2069

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-2069", "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "state": "PUBLISHED", "assignerShortName": "lenovo", "dateReserved": "2025-03-06T16:09:24.955Z", "datePublished": "2025-04-25T15:26:55.806Z", "dateUpdated": "2025-04-25T16:47:20.616Z"}, "containers": {"cna": {"cpeApplicability": [{"nodes": [{"operator": "OR", "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lenovo:filez_client:*:*:*:*:*:*:*:*", "versionEndExcluding": "11.0.0.11"}]}]}], "affected": [{"defaultStatus": "unaffected", "product": "Client", "vendor": "FileZ", "versions": [{"lessThan": "11.0.0.10", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A cross-site scripting vulnerability was reported in the FileZ client that could allow execution of code if a crafted url is visited by a local user.</span>"}], "value": "A cross-site scripting vulnerability was reported in the FileZ client that could allow execution of code if a crafted url is visited by a local user."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 5.1, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo", "dateUpdated": "2025-04-25T15:26:55.806Z"}, "references": [{"url": "https://www.filez.com/securityPolicy/2.html?1744703100"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update FileZ client to 11.0.0.10 or later.\n\n<br>"}], "value": "Update FileZ client to 11.0.0.10 or later."}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-25T16:47:10.407386Z", "id": "CVE-2025-2069", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-25T16:47:20.616Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2069", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-25T16:47:10.407386Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-25T16:47:15.565Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "FileZ", "product": "Client", "versions": [{"status": "affected", "version": "0", "lessThan": "11.0.0.10", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update FileZ client to 11.0.0.10 or later.", "supportingMedia": [{"type": "text/html", "value": "Update FileZ client to 11.0.0.10 or later.\n\n<br>", "base64": false}]}], "references": [{"url": "https://www.filez.com/securityPolicy/2.html?1744703100"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A cross-site scripting vulnerability was reported in the FileZ client that could allow execution of code if a crafted url is visited by a local user.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A cross-site scripting vulnerability was reported in the FileZ client that could allow execution of code if a crafted url is visited by a local user.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:filez_client:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "11.0.0.11"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo", "dateUpdated": "2025-04-25T15:26:55.806Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2069", "state": "PUBLISHED", "dateUpdated": "2025-04-25T16:47:20.616Z", "dateReserved": "2025-03-06T16:09:24.955Z", "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "datePublished": "2025-04-25T15:26:55.806Z", "assignerShortName": "lenovo"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A cross-site scripting vulnerability was reported in the FileZ client that could allow execution of code if a crafted url is visited by a local user."}, {"lang": "es", "value": "Se inform\u00f3 de una vulnerabilidad de cross-site scripting en el cliente FileZ que podr\u00eda permitir la ejecuci\u00f3n de c\u00f3digo si un usuario local visita una URL manipulada espec\u00edficamente para ello."}], "id": "CVE-2025-2069", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 3.6, "source": "psirt@lenovo.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "psirt@lenovo.com", "type": "Secondary"}]}, "published": "2025-04-25T16:15:26.020", "references": [{"source": "psirt@lenovo.com", "url": "https://www.filez.com/securityPolicy/2.html?1744703100"}], "sourceIdentifier": "psirt@lenovo.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@lenovo.com", "type": "Secondary"}]}