CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48382 – Fess has Insecure Temporary File Permissions
https://notcve.org/view.php?id=CVE-2025-48382
27 May 2025 — Fess is a deployable Enterprise Search Server. Prior to version 14.19.2, the createTempFile() method in org.codelibs.fess.helper.SystemHelper creates temporary files without explicitly setting restrictive permissions. This could lead to potential information disclosure, allowing unauthorized local users to access sensitive data contained in these files. This issue primarily affects environments where Fess is deployed in a shared or multi-user context. Typical single-user or isolated deployments have minimal... • https://github.com/codelibs/fess/commit/25b2009fea2a0f6ccd5aa8154aa54b536c08f6c4 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000822
https://notcve.org/view.php?id=CVE-2018-1000822
20 Dec 2018 — codelibs fess version before commit faa265b contains a XML External Entity (XXE) vulnerability in GSA XML file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via specially crafted GSA XML files. This vulnerability appears to have been fixed in after commit faa265b. codelibs fess, en versiones anteriores al commit con ID faa265b, contiene una vulnerabilidad XEE (XML External Entity) en el analizador de archivos XML GSA q... • https://0dd.zone/2018/10/27/fess-XXE • CWE-611: Improper Restriction of XML External Entity Reference •