A flaw in the Contact Plan, E‑Mail, SMS and Fax modules of Asseco SEE Live 2.0 allows an authenticated user to read arbitrary host files by manipulating the \"path\" parameter in the downloadAttachment and downloadAttachmentFromPath API calls. This local file inclusion vulnerability exposes confidential data such as configuration files, system logs, or credentials, representing an improper file access control weakness (CWE-552). The impact is limited to confidentiality; no integrity or availability effects are described in the CVE write‑up.

The vulnerability affects Asseco SEE Live 2.0, specifically its Contact Plan, E‑Mail, SMS, and Fax components. Any installation of this version that has the downloadAttachment or downloadAttachmentFromPath APIs enabled is susceptible. No further version granularity is provided beyond the 2.0 release in the CVE description.

The baseline CVSS score of 6.5 denotes moderate severity, and the EPSS score of less than 1 % indicates that widespread exploitation is unlikely at this time. The vulnerability is not listed in CISA’s KEV catalog. To exploit the flaw a user simply needs a valid authenticated session with the API; from there the attacker can supply a crafted path payload to read any file accessible to the application process. Because the flaw bypasses normal file‑access checks, it can expose sensitive data if the user account has sufficient system privileges.