Agiloft Release 28 downloads critical system packages over an insecure HTTP connection. An attacker in a Man-In-the-Middle position could replace or modify the contents of the download URL. Users should upgrade to Agiloft Release 30.
History

Tue, 02 Sep 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Atlassian
Atlassian agiloft
CPEs cpe:2.3:a:atlassian:agiloft:*:*:*:*:*:*:*:*
Vendors & Products Atlassian
Atlassian agiloft

Fri, 29 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 27 Aug 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Agiloft
Agiloft agiloft
Vendors & Products Agiloft
Agiloft agiloft

Tue, 26 Aug 2025 22:30:00 +0000

Type Values Removed Values Added
Description Agiloft Release 28 downloads critical system packages over an insecure HTTP connection. An attacker in a Man-In-the-Middle position could replace or modify the contents of the download URL. Users should upgrade to Agiloft Release 30.
Title Agiloft insecure download of system packages
Weaknesses CWE-494
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2025-08-29T18:27:45.417Z

Reserved: 2025-04-15T20:56:24.416Z

Link: CVE-2025-35115

cve-icon Vulnrichment

Updated: 2025-08-29T18:27:40.512Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-26T23:15:35.540

Modified: 2025-09-02T17:57:25.583

Link: CVE-2025-35115

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-27T11:41:37Z