8 matches found
CVE-2022-25026
CVE-2022-25026 is a Server-Side Request Forgery in Rocket TRUfusion Portal v7.9.2.1. An attacker can trigger requests to /trufusionPortal/upDwModuleProxy to access internal resources. CVSS v3.1 base score 7.5 (HIGH); vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. No exploitation details or remediati...
CVE-2022-25027
The CVE-2022-25027 entry concerns Rocket TRUfusion Portal v7.9.2.1, where the Forgotten Password flow can bypass authentication by validating the user’s session token after clicking the Password forgotten?; this is described across multiple sources (NVD, Red Hat CVE entries, OSV) as an authentica...
CVE-2025-27222
TRUfusion Enterprise ≤ 7.10.4.0 is impacted by a pre-auth path-traversal in the /trufusionPortal/getCobrandingData endpoint. The unsanitized input can cause the traversal sequences to be processed, allowing an unauthenticated attacker to read arbitrary local files accessible to the TRUfusion user...
CVE-2025-27224
TRUfusion Enterprise (versions up to 7.10.4.0) is affected by insecure handling of the /trufusionPortal/fileupload endpoint, where input is not properly sanitized, enabling path traversal sequences to write arbitrary files anywhere on the local server and potentially execute code. Root cause: ins...
CVE-2025-27225
TRUfusion Enterprise (versions
CVE-2025-59793
CVE-2025-59793 Details (MODE C) Rocket TRUfusion Enterprise (
CVE-2025-27223
TRUfusion Enterprise
CVE-2025-32355
CVE-2025-32355 affects Rocket TRUfusion Enterprise up to version 7.10.4.0, where the built-in reverse proxy can be misconfigured to accept absolute URLs in the HTTP request line. This enables server-side requests to load arbitrary resources via the proxy, constituting a server-side request forger...