Description
LifeSize ClearSea 3.1.4 contains directory traversal vulnerabilities that allow authenticated attackers to download and upload arbitrary files by manipulating path parameters in the smartgui interface. Attackers can exploit the upload endpoint with directory traversal sequences to write files to arbitrary locations on the system, enabling remote code execution.
Published: 2026-04-29
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a directory traversal vulnerability in the smartgui interface of LifeSize ClearSea that allows authenticated users to manipulate path parameters to download or upload files. By crafting traversal sequences in the upload endpoint, an attacker can place files of their choosing in arbitrary locations on the system, which can be leveraged to execute arbitrary code. The weakness maps to CWE‑22.

Affected Systems

LifeSize ClearSea version 3.1.4 is affected. No other versions or vendors were listed as impacted.

Risk and Exploitability

The CVSS score of 7.1 signals a high severity. EPSS is not available and the vulnerability is not listed in CISA KEV, so there is no evidence of widespread exploitation yet, but the remote nature and requirement for authentication mean that any compromised or guessed credentials could be used to exploit the system. Attackers would need network access to the smartgui interface to send the malicious requests.

Generated by OpenCVE AI on April 30, 2026 at 03:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest LifeSize ClearSea patch (or upgrade to a version beyond 3.1.4) when it is released by the vendor.
  • Restrict access to the smartgui interface to trusted users only, ensuring strong authentication and least‑privilege credentials.
  • Configure the web server or firewall to block directory traversal strings or disable the upload endpoint until a fix is applied.

Generated by OpenCVE AI on April 30, 2026 at 03:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Lifesize
Lifesize clearsea
Vendors & Products Lifesize
Lifesize clearsea

Wed, 29 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description LifeSize ClearSea 3.1.4 contains directory traversal vulnerabilities that allow authenticated attackers to download and upload arbitrary files by manipulating path parameters in the smartgui interface. Attackers can exploit the upload endpoint with directory traversal sequences to write files to arbitrary locations on the system, enabling remote code execution.
Title LifeSize ClearSea 3.1.4 Directory Traversal Remote Code Execution
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Lifesize Clearsea
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-30T15:22:29.290Z

Reserved: 2026-04-29T12:22:39.954Z

Link: CVE-2018-25312

cve-icon Vulnrichment

Updated: 2026-04-30T13:13:02.419Z

cve-icon NVD

Status : Deferred

Published: 2026-04-29T20:16:26.903

Modified: 2026-04-29T21:22:20.120

Link: CVE-2018-25312

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:20:40Z

Weaknesses